Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe
-
Size
64KB
-
MD5
3c10a158c5740756961baa5a4dc8b0e0
-
SHA1
b5f47d59dc266573a64446f99020c6c69022990d
-
SHA256
8c9cf614af56d0dbeb760d44405a6418d65d0dc2ea10c9a5302d5df853fc0bac
-
SHA512
0ab7f15fc9ed79813fe2aeee45efb13cd936edca168147cea2957ea3fe65d4e7518b7ca3d6791b47a24817b965808ae1685444a163b57d74c2e2c6a5eea24178
-
SSDEEP
1536:6UQtuJUKF2FQ3mIj1HgaoCx4kJUXruCHcpzt/Idn:2tuNr37xzoGtpFwn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkkbjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldokfakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npaich32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkmeiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnhgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoldlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagkjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfnangf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebqngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjhki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfkln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfpmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfjkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoiio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfqmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hboddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khadpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfigck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddimn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2908 Fbpbpkpj.exe 2472 Foccjood.exe 2468 Fdbhge32.exe 2448 Gnkmqkbi.exe 2408 Gfhnjm32.exe 2164 Giiglhjb.exe 1200 Hfpdkl32.exe 2312 Hfbaql32.exe 2348 Hjdfjo32.exe 1952 Heikgh32.exe 1708 Ijklknbn.exe 804 Ibhndp32.exe 828 Ilcoce32.exe 2076 Jbpdeogo.exe 524 Jdcmbgkj.exe 2240 Jhafhe32.exe 2928 Jdhgnf32.exe 484 Kpadhg32.exe 1108 Kcamjb32.exe 1088 Kcdjoaee.exe 1748 Lnpgeopa.exe 2188 Lqncaj32.exe 1916 Lneaqn32.exe 1372 Lcaiiejc.exe 2860 Ljnnko32.exe 2912 Lbicoamh.exe 2580 Mfglep32.exe 2104 Mpopnejo.exe 2532 Mlfacfpc.exe 2380 Njpgpbpf.exe 2020 Nfghdcfj.exe 1628 Nallalep.exe 1820 Nfidjbdg.exe 2816 Npaich32.exe 1580 Nijnln32.exe 1676 Npdfhhhe.exe 1948 Neqnqofm.exe 1668 Okpcoe32.exe 936 Odhhgkib.exe 592 Ohfqmi32.exe 2144 Opaebkmc.exe 2888 Omefkplm.exe 1960 Pcbncfjd.exe 1608 Pdakniag.exe 792 Pcghof32.exe 1872 Ppkhhjei.exe 2208 Popeif32.exe 2060 Pdmnam32.exe 2904 Qaqnkafa.exe 3012 Qqfkln32.exe 2512 Anjlebjc.exe 2600 Aknlofim.exe 2500 Aciqcifh.exe 2436 Aopahjll.exe 956 Ajeeeblb.exe 1648 Aijbfo32.exe 640 Bcpgdhpp.exe 2616 Bofgii32.exe 2336 Biolanld.exe 540 Bgdibkam.exe 2152 Bckjhl32.exe 876 Bejfao32.exe 2224 Cmfkfa32.exe 2156 Cfnoogbo.exe -
Loads dropped DLL 64 IoCs
pid Process 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 2908 Fbpbpkpj.exe 2908 Fbpbpkpj.exe 2472 Foccjood.exe 2472 Foccjood.exe 2468 Fdbhge32.exe 2468 Fdbhge32.exe 2448 Gnkmqkbi.exe 2448 Gnkmqkbi.exe 2408 Gfhnjm32.exe 2408 Gfhnjm32.exe 2164 Giiglhjb.exe 2164 Giiglhjb.exe 1200 Hfpdkl32.exe 1200 Hfpdkl32.exe 2312 Hfbaql32.exe 2312 Hfbaql32.exe 2348 Hjdfjo32.exe 2348 Hjdfjo32.exe 1952 Heikgh32.exe 1952 Heikgh32.exe 1708 Ijklknbn.exe 1708 Ijklknbn.exe 804 Ibhndp32.exe 804 Ibhndp32.exe 828 Ilcoce32.exe 828 Ilcoce32.exe 2076 Jbpdeogo.exe 2076 Jbpdeogo.exe 524 Jdcmbgkj.exe 524 Jdcmbgkj.exe 2240 Jhafhe32.exe 2240 Jhafhe32.exe 2928 Jdhgnf32.exe 2928 Jdhgnf32.exe 484 Kpadhg32.exe 484 Kpadhg32.exe 1108 Kcamjb32.exe 1108 Kcamjb32.exe 1088 Kcdjoaee.exe 1088 Kcdjoaee.exe 1748 Lnpgeopa.exe 1748 Lnpgeopa.exe 2188 Lqncaj32.exe 2188 Lqncaj32.exe 1916 Lneaqn32.exe 1916 Lneaqn32.exe 1372 Lcaiiejc.exe 1372 Lcaiiejc.exe 2860 Ljnnko32.exe 2860 Ljnnko32.exe 2912 Lbicoamh.exe 2912 Lbicoamh.exe 2580 Mfglep32.exe 2580 Mfglep32.exe 2104 Mpopnejo.exe 2104 Mpopnejo.exe 2532 Mlfacfpc.exe 2532 Mlfacfpc.exe 2380 Njpgpbpf.exe 2380 Njpgpbpf.exe 2020 Nfghdcfj.exe 2020 Nfghdcfj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kcdjoaee.exe Kcamjb32.exe File opened for modification C:\Windows\SysWOW64\Cpfdhl32.exe Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Eemnnn32.exe Emaijk32.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jeafjiop.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Piabdiep.exe File opened for modification C:\Windows\SysWOW64\Nfigck32.exe Njbfnjeg.exe File created C:\Windows\SysWOW64\Dgknkf32.exe Daaenlng.exe File created C:\Windows\SysWOW64\Ngjhpb32.dll Dddimn32.exe File created C:\Windows\SysWOW64\Joidhh32.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Mbbhfl32.dll Kkmmlgik.exe File created C:\Windows\SysWOW64\Jeafjiop.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Fabaocfl.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Gjjmijme.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Inmmbc32.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qlgkki32.exe File opened for modification C:\Windows\SysWOW64\Ofqmcj32.exe Oeaqig32.exe File created C:\Windows\SysWOW64\Jcfoeb32.dll Pmhejhao.exe File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Bknjfb32.exe File created C:\Windows\SysWOW64\Goldfelp.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe Hgeelf32.exe File created C:\Windows\SysWOW64\Ngdjmc32.dll Kadfkhkf.exe File created C:\Windows\SysWOW64\Dmgmpnhl.exe Dfmeccao.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Ojmklbll.dll Emaijk32.exe File opened for modification C:\Windows\SysWOW64\Jeafjiop.exe Jpdnbbah.exe File created C:\Windows\SysWOW64\Bpoggldm.dll Ekfpmf32.exe File created C:\Windows\SysWOW64\Elilld32.dll Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Lbicoamh.exe Ljnnko32.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Fgfdie32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bfioia32.exe File created C:\Windows\SysWOW64\Hbdjcffd.exe Gfnjne32.exe File opened for modification C:\Windows\SysWOW64\Kgnkci32.exe Kijkje32.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Mfglep32.exe Lbicoamh.exe File opened for modification C:\Windows\SysWOW64\Gqdefddb.exe Gjjmijme.exe File opened for modification C:\Windows\SysWOW64\Fjlmpfhg.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Ippbdn32.dll Nefdpjkl.exe File created C:\Windows\SysWOW64\Kfkigdmm.dll Pjleclph.exe File opened for modification C:\Windows\SysWOW64\Cehhdkjf.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Hjdfjo32.exe Hfbaql32.exe File created C:\Windows\SysWOW64\Jpccfogk.dll Heikgh32.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Ocamldcp.dll Njbfnjeg.exe File created C:\Windows\SysWOW64\Ipdbellh.dll Ieponofk.exe File created C:\Windows\SysWOW64\Kdcgnide.dll Gnkmqkbi.exe File created C:\Windows\SysWOW64\Ahbakd32.dll Nallalep.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Cpfdhl32.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Fflkbagk.dll Jeqopcld.exe File created C:\Windows\SysWOW64\Bcjpobko.dll Lpflkb32.exe File created C:\Windows\SysWOW64\Ppkhhjei.exe Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Ppkhhjei.exe Pcghof32.exe File created C:\Windows\SysWOW64\Acfgdc32.dll Bfabnl32.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Libjncnc.exe File opened for modification C:\Windows\SysWOW64\Fcmdnfad.exe Fgfdie32.exe File created C:\Windows\SysWOW64\Hegpjaac.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Npaich32.exe Nfidjbdg.exe File opened for modification C:\Windows\SysWOW64\Eacljf32.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Dgiaefgg.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lnpgeopa.exe File opened for modification C:\Windows\SysWOW64\Hnpdcf32.exe Hegpjaac.exe File opened for modification C:\Windows\SysWOW64\Jhdlad32.exe Jolghndm.exe File created C:\Windows\SysWOW64\Kdklfe32.exe Jbjpom32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5092 5068 WerFault.exe 393 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogfepif.dll" Ndfnecgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbejb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflkbagk.dll" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll" Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adipfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfacfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehlpleg.dll" Kijkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ponklpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nallalep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlfhkoa.dll" Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheocfji.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhafhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppinkcnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikjhki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjdnlob.dll" Ijehdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjpdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlhca32.dll" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjmfnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbkpe32.dll" Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkigdmm.dll" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egldgl32.dll" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqhkjacc.dll" Bfcodkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnlocgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gonocmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opialpld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2908 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 28 PID 2772 wrote to memory of 2908 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 28 PID 2772 wrote to memory of 2908 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 28 PID 2772 wrote to memory of 2908 2772 3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe 28 PID 2908 wrote to memory of 2472 2908 Fbpbpkpj.exe 29 PID 2908 wrote to memory of 2472 2908 Fbpbpkpj.exe 29 PID 2908 wrote to memory of 2472 2908 Fbpbpkpj.exe 29 PID 2908 wrote to memory of 2472 2908 Fbpbpkpj.exe 29 PID 2472 wrote to memory of 2468 2472 Foccjood.exe 30 PID 2472 wrote to memory of 2468 2472 Foccjood.exe 30 PID 2472 wrote to memory of 2468 2472 Foccjood.exe 30 PID 2472 wrote to memory of 2468 2472 Foccjood.exe 30 PID 2468 wrote to memory of 2448 2468 Fdbhge32.exe 31 PID 2468 wrote to memory of 2448 2468 Fdbhge32.exe 31 PID 2468 wrote to memory of 2448 2468 Fdbhge32.exe 31 PID 2468 wrote to memory of 2448 2468 Fdbhge32.exe 31 PID 2448 wrote to memory of 2408 2448 Gnkmqkbi.exe 32 PID 2448 wrote to memory of 2408 2448 Gnkmqkbi.exe 32 PID 2448 wrote to memory of 2408 2448 Gnkmqkbi.exe 32 PID 2448 wrote to memory of 2408 2448 Gnkmqkbi.exe 32 PID 2408 wrote to memory of 2164 2408 Gfhnjm32.exe 33 PID 2408 wrote to memory of 2164 2408 Gfhnjm32.exe 33 PID 2408 wrote to memory of 2164 2408 Gfhnjm32.exe 33 PID 2408 wrote to memory of 2164 2408 Gfhnjm32.exe 33 PID 2164 wrote to memory of 1200 2164 Giiglhjb.exe 34 PID 2164 wrote to memory of 1200 2164 Giiglhjb.exe 34 PID 2164 wrote to memory of 1200 2164 Giiglhjb.exe 34 PID 2164 wrote to memory of 1200 2164 Giiglhjb.exe 34 PID 1200 wrote to memory of 2312 1200 Hfpdkl32.exe 35 PID 1200 wrote to memory of 2312 1200 Hfpdkl32.exe 35 PID 1200 wrote to memory of 2312 1200 Hfpdkl32.exe 35 PID 1200 wrote to memory of 2312 1200 Hfpdkl32.exe 35 PID 2312 wrote to memory of 2348 2312 Hfbaql32.exe 36 PID 2312 wrote to memory of 2348 2312 Hfbaql32.exe 36 PID 2312 wrote to memory of 2348 2312 Hfbaql32.exe 36 PID 2312 wrote to memory of 2348 2312 Hfbaql32.exe 36 PID 2348 wrote to memory of 1952 2348 Hjdfjo32.exe 37 PID 2348 wrote to memory of 1952 2348 Hjdfjo32.exe 37 PID 2348 wrote to memory of 1952 2348 Hjdfjo32.exe 37 PID 2348 wrote to memory of 1952 2348 Hjdfjo32.exe 37 PID 1952 wrote to memory of 1708 1952 Heikgh32.exe 38 PID 1952 wrote to memory of 1708 1952 Heikgh32.exe 38 PID 1952 wrote to memory of 1708 1952 Heikgh32.exe 38 PID 1952 wrote to memory of 1708 1952 Heikgh32.exe 38 PID 1708 wrote to memory of 804 1708 Ijklknbn.exe 39 PID 1708 wrote to memory of 804 1708 Ijklknbn.exe 39 PID 1708 wrote to memory of 804 1708 Ijklknbn.exe 39 PID 1708 wrote to memory of 804 1708 Ijklknbn.exe 39 PID 804 wrote to memory of 828 804 Ibhndp32.exe 40 PID 804 wrote to memory of 828 804 Ibhndp32.exe 40 PID 804 wrote to memory of 828 804 Ibhndp32.exe 40 PID 804 wrote to memory of 828 804 Ibhndp32.exe 40 PID 828 wrote to memory of 2076 828 Ilcoce32.exe 41 PID 828 wrote to memory of 2076 828 Ilcoce32.exe 41 PID 828 wrote to memory of 2076 828 Ilcoce32.exe 41 PID 828 wrote to memory of 2076 828 Ilcoce32.exe 41 PID 2076 wrote to memory of 524 2076 Jbpdeogo.exe 42 PID 2076 wrote to memory of 524 2076 Jbpdeogo.exe 42 PID 2076 wrote to memory of 524 2076 Jbpdeogo.exe 42 PID 2076 wrote to memory of 524 2076 Jbpdeogo.exe 42 PID 524 wrote to memory of 2240 524 Jdcmbgkj.exe 43 PID 524 wrote to memory of 2240 524 Jdcmbgkj.exe 43 PID 524 wrote to memory of 2240 524 Jdcmbgkj.exe 43 PID 524 wrote to memory of 2240 524 Jdcmbgkj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c10a158c5740756961baa5a4dc8b0e0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe36⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe37⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe38⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe40⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe42⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe43⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe44⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe45⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe47⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe48⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe50⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe53⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe54⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe55⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe56⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe57⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe59⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe60⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe61⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe63⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe64⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe66⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe68⤵PID:980
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe69⤵PID:1104
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe70⤵PID:1968
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe71⤵PID:1984
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe74⤵PID:2612
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe75⤵PID:2388
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe77⤵PID:2968
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe78⤵PID:1028
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe79⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe80⤵
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe82⤵PID:1756
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe83⤵PID:1932
-
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe84⤵PID:1388
-
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe85⤵PID:2248
-
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe86⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe87⤵PID:2936
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe88⤵PID:708
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe89⤵PID:1212
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe90⤵
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe92⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe93⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe94⤵PID:2480
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe95⤵PID:2496
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe96⤵PID:2392
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe97⤵PID:1112
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe98⤵PID:1816
-
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe99⤵PID:2116
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe101⤵PID:1972
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe102⤵PID:1332
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe103⤵PID:2244
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe104⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe105⤵PID:1336
-
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe106⤵PID:900
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe107⤵PID:1760
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe108⤵PID:2896
-
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe110⤵PID:2868
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe111⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe112⤵PID:1016
-
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe114⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe115⤵PID:2672
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe116⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe117⤵PID:1356
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe118⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe119⤵PID:696
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe121⤵PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-