Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 11:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe
-
Size
96KB
-
MD5
c3fbb964e590291d368462eeb643cf30
-
SHA1
071c251f21c380f13700951c6f9ed769f908b350
-
SHA256
356e355ee6c7227abf6dbcae9dedb90758feef9a73017dd2bd600d4f7ceceb94
-
SHA512
be388de3f35eaa5503aa2eb72b3f4e7e94629b8e70733840a7e8589a3f94ebecaf35cf162096840465d04abec82a6cdec34eb817fb883b944ca1d5a8f8d8b8a8
-
SSDEEP
1536:3uZHEluTqFmbOMz/7562L/q7RZObZUUWaegPYA:3uZmFm9HCClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenbdoii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efcfga32.exe -
Executes dropped EXE 64 IoCs
pid Process 2324 Jkonco32.exe 2064 Jakfkfpc.exe 2676 Jfhocmnk.exe 2232 Jancafna.exe 2776 Jfkkimlh.exe 2688 Jiigehkl.exe 2916 Kpcpbb32.exe 1592 Kfmhol32.exe 2928 Kmgpkfab.exe 1988 Kpemgbqf.exe 2644 Kfoedl32.exe 2616 Kinaqg32.exe 2500 Kllmmc32.exe 1680 Kbfeimng.exe 2060 Kipnfged.exe 2840 Klnjbbdh.exe 324 Kbhbom32.exe 1488 Kakbjibo.exe 3068 Kegnkh32.exe 2372 Klqfhbbe.exe 1148 Kjcgco32.exe 340 Kbkodl32.exe 960 Keikqhhe.exe 1656 Lhggmchi.exe 2164 Loapim32.exe 2992 Ldnhad32.exe 1616 Lfmdnp32.exe 2964 Lodlom32.exe 2664 Lpeifeca.exe 2696 Lhlqhb32.exe 2596 Limmokib.exe 892 Lmiipi32.exe 2476 Lpgele32.exe 1784 Lbfahp32.exe 2908 Lipjejgp.exe 2632 Llnfaffc.exe 2932 Lchnnp32.exe 2460 Lgdjnofi.exe 2752 Lefkjkmc.exe 1640 Llqcfe32.exe 1556 Loooca32.exe 1736 Mgfgdn32.exe 384 Mhgclfje.exe 2380 Mlcple32.exe 1140 Moalhq32.exe 584 Mcmhiojk.exe 1552 Mekdekin.exe 1880 Mhjpaf32.exe 3004 Mlelaeqk.exe 896 Mkhmma32.exe 888 Mochnppo.exe 2180 Mcodno32.exe 1584 Mabejlob.exe 3020 Mdqafgnf.exe 2728 Mhlmgf32.exe 2572 Mlgigdoh.exe 824 Mofecpnl.exe 776 Madapkmp.exe 1820 Mepnpj32.exe 1436 Mdcnlglc.exe 2952 Mgajhbkg.exe 2636 Mkmfhacp.exe 2228 Mohbip32.exe 2768 Magnek32.exe -
Loads dropped DLL 64 IoCs
pid Process 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 2324 Jkonco32.exe 2324 Jkonco32.exe 2064 Jakfkfpc.exe 2064 Jakfkfpc.exe 2676 Jfhocmnk.exe 2676 Jfhocmnk.exe 2232 Jancafna.exe 2232 Jancafna.exe 2776 Jfkkimlh.exe 2776 Jfkkimlh.exe 2688 Jiigehkl.exe 2688 Jiigehkl.exe 2916 Kpcpbb32.exe 2916 Kpcpbb32.exe 1592 Kfmhol32.exe 1592 Kfmhol32.exe 2928 Kmgpkfab.exe 2928 Kmgpkfab.exe 1988 Kpemgbqf.exe 1988 Kpemgbqf.exe 2644 Kfoedl32.exe 2644 Kfoedl32.exe 2616 Kinaqg32.exe 2616 Kinaqg32.exe 2500 Kllmmc32.exe 2500 Kllmmc32.exe 1680 Kbfeimng.exe 1680 Kbfeimng.exe 2060 Kipnfged.exe 2060 Kipnfged.exe 2840 Klnjbbdh.exe 2840 Klnjbbdh.exe 324 Kbhbom32.exe 324 Kbhbom32.exe 1488 Kakbjibo.exe 1488 Kakbjibo.exe 3068 Kegnkh32.exe 3068 Kegnkh32.exe 2372 Klqfhbbe.exe 2372 Klqfhbbe.exe 1148 Kjcgco32.exe 1148 Kjcgco32.exe 340 Kbkodl32.exe 340 Kbkodl32.exe 960 Keikqhhe.exe 960 Keikqhhe.exe 1656 Lhggmchi.exe 1656 Lhggmchi.exe 2164 Loapim32.exe 2164 Loapim32.exe 2992 Ldnhad32.exe 2992 Ldnhad32.exe 1616 Lfmdnp32.exe 1616 Lfmdnp32.exe 2964 Lodlom32.exe 2964 Lodlom32.exe 2664 Lpeifeca.exe 2664 Lpeifeca.exe 2696 Lhlqhb32.exe 2696 Lhlqhb32.exe 2596 Limmokib.exe 2596 Limmokib.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfkkimlh.exe Jancafna.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Enhacojl.exe File created C:\Windows\SysWOW64\Filldb32.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Miikgeea.dll Ngnbgplj.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Ebjglbml.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Ghfbqn32.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Iimfgo32.dll Bfadgq32.exe File created C:\Windows\SysWOW64\Neeeodef.dll Obigjnkf.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Filldb32.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Bebpkk32.dll Caknol32.exe File created C:\Windows\SysWOW64\Pdehna32.dll Nqcagfim.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Cjndop32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Kngfih32.exe Kkijmm32.exe File opened for modification C:\Windows\SysWOW64\Kjqccigf.exe Kfegbj32.exe File created C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Pabjem32.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Bcaomf32.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Mhofcjea.dll Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Kmgpkfab.exe Kfmhol32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Emeopn32.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Ejpdgffb.dll Jkonco32.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Hlhaqogk.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Mhbped32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Klqfhbbe.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Pnbgan32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Jepgqikf.dll Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Jejinjob.dll Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Jiigehkl.exe Jfkkimlh.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hogmmjfo.exe File created C:\Windows\SysWOW64\Fanjadqp.dll Qpgpkcpp.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File created C:\Windows\SysWOW64\Mochnppo.exe Mkhmma32.exe File created C:\Windows\SysWOW64\Aljkjq32.dll Nkaocp32.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Ghmiam32.exe Geolea32.exe File created C:\Windows\SysWOW64\Ehllae32.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Lhggmchi.exe Keikqhhe.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Lhggmchi.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File created C:\Windows\SysWOW64\Pgioaa32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qfahhm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6704 6720 WerFault.exe 690 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmen32.dll" Mlgigdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklemhne.dll" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dcenlceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbhabjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maodqp32.dll" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll" Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piblek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmahkol.dll" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhde32.dll" Qmfgjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcebp32.dll" Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlgpgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmepigc.dll" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfnmo32.dll" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqideepg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndipl32.dll" Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bhkdeggl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2324 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 2324 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 2324 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 2324 1684 c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe 28 PID 2324 wrote to memory of 2064 2324 Jkonco32.exe 29 PID 2324 wrote to memory of 2064 2324 Jkonco32.exe 29 PID 2324 wrote to memory of 2064 2324 Jkonco32.exe 29 PID 2324 wrote to memory of 2064 2324 Jkonco32.exe 29 PID 2064 wrote to memory of 2676 2064 Jakfkfpc.exe 30 PID 2064 wrote to memory of 2676 2064 Jakfkfpc.exe 30 PID 2064 wrote to memory of 2676 2064 Jakfkfpc.exe 30 PID 2064 wrote to memory of 2676 2064 Jakfkfpc.exe 30 PID 2676 wrote to memory of 2232 2676 Jfhocmnk.exe 31 PID 2676 wrote to memory of 2232 2676 Jfhocmnk.exe 31 PID 2676 wrote to memory of 2232 2676 Jfhocmnk.exe 31 PID 2676 wrote to memory of 2232 2676 Jfhocmnk.exe 31 PID 2232 wrote to memory of 2776 2232 Jancafna.exe 32 PID 2232 wrote to memory of 2776 2232 Jancafna.exe 32 PID 2232 wrote to memory of 2776 2232 Jancafna.exe 32 PID 2232 wrote to memory of 2776 2232 Jancafna.exe 32 PID 2776 wrote to memory of 2688 2776 Jfkkimlh.exe 33 PID 2776 wrote to memory of 2688 2776 Jfkkimlh.exe 33 PID 2776 wrote to memory of 2688 2776 Jfkkimlh.exe 33 PID 2776 wrote to memory of 2688 2776 Jfkkimlh.exe 33 PID 2688 wrote to memory of 2916 2688 Jiigehkl.exe 34 PID 2688 wrote to memory of 2916 2688 Jiigehkl.exe 34 PID 2688 wrote to memory of 2916 2688 Jiigehkl.exe 34 PID 2688 wrote to memory of 2916 2688 Jiigehkl.exe 34 PID 2916 wrote to memory of 1592 2916 Kpcpbb32.exe 35 PID 2916 wrote to memory of 1592 2916 Kpcpbb32.exe 35 PID 2916 wrote to memory of 1592 2916 Kpcpbb32.exe 35 PID 2916 wrote to memory of 1592 2916 Kpcpbb32.exe 35 PID 1592 wrote to memory of 2928 1592 Kfmhol32.exe 36 PID 1592 wrote to memory of 2928 1592 Kfmhol32.exe 36 PID 1592 wrote to memory of 2928 1592 Kfmhol32.exe 36 PID 1592 wrote to memory of 2928 1592 Kfmhol32.exe 36 PID 2928 wrote to memory of 1988 2928 Kmgpkfab.exe 37 PID 2928 wrote to memory of 1988 2928 Kmgpkfab.exe 37 PID 2928 wrote to memory of 1988 2928 Kmgpkfab.exe 37 PID 2928 wrote to memory of 1988 2928 Kmgpkfab.exe 37 PID 1988 wrote to memory of 2644 1988 Kpemgbqf.exe 38 PID 1988 wrote to memory of 2644 1988 Kpemgbqf.exe 38 PID 1988 wrote to memory of 2644 1988 Kpemgbqf.exe 38 PID 1988 wrote to memory of 2644 1988 Kpemgbqf.exe 38 PID 2644 wrote to memory of 2616 2644 Kfoedl32.exe 39 PID 2644 wrote to memory of 2616 2644 Kfoedl32.exe 39 PID 2644 wrote to memory of 2616 2644 Kfoedl32.exe 39 PID 2644 wrote to memory of 2616 2644 Kfoedl32.exe 39 PID 2616 wrote to memory of 2500 2616 Kinaqg32.exe 40 PID 2616 wrote to memory of 2500 2616 Kinaqg32.exe 40 PID 2616 wrote to memory of 2500 2616 Kinaqg32.exe 40 PID 2616 wrote to memory of 2500 2616 Kinaqg32.exe 40 PID 2500 wrote to memory of 1680 2500 Kllmmc32.exe 41 PID 2500 wrote to memory of 1680 2500 Kllmmc32.exe 41 PID 2500 wrote to memory of 1680 2500 Kllmmc32.exe 41 PID 2500 wrote to memory of 1680 2500 Kllmmc32.exe 41 PID 1680 wrote to memory of 2060 1680 Kbfeimng.exe 42 PID 1680 wrote to memory of 2060 1680 Kbfeimng.exe 42 PID 1680 wrote to memory of 2060 1680 Kbfeimng.exe 42 PID 1680 wrote to memory of 2060 1680 Kbfeimng.exe 42 PID 2060 wrote to memory of 2840 2060 Kipnfged.exe 43 PID 2060 wrote to memory of 2840 2060 Kipnfged.exe 43 PID 2060 wrote to memory of 2840 2060 Kipnfged.exe 43 PID 2060 wrote to memory of 2840 2060 Kipnfged.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c3fbb964e590291d368462eeb643cf30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe33⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe35⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe37⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe38⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe40⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe42⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe43⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe44⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe45⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe46⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe47⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe49⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe50⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe54⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe55⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe58⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe59⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe60⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe61⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe62⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe63⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe65⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe66⤵PID:684
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe67⤵PID:1536
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe69⤵PID:2248
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe70⤵PID:1504
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe71⤵PID:1520
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe72⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe73⤵PID:452
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe74⤵PID:2504
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe75⤵PID:2820
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe76⤵PID:2452
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe77⤵PID:2968
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe78⤵PID:2800
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe80⤵PID:2652
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe81⤵PID:1948
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe82⤵PID:1168
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe84⤵PID:764
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe85⤵PID:2092
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe86⤵PID:1512
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe87⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe89⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe90⤵PID:1708
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe91⤵PID:2552
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe92⤵PID:2796
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe94⤵PID:1644
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe95⤵PID:1980
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe96⤵PID:2076
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe97⤵PID:2088
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe98⤵PID:1780
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe99⤵PID:1196
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe101⤵PID:3044
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe102⤵PID:2856
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe103⤵PID:1760
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe104⤵PID:2540
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe105⤵PID:2716
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe106⤵PID:2400
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe107⤵PID:2944
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe108⤵PID:2604
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe109⤵PID:2912
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe110⤵PID:1696
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe111⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe112⤵PID:1268
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe113⤵PID:1776
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe114⤵PID:2984
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe115⤵PID:2260
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe116⤵PID:2516
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe117⤵PID:2412
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe118⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe119⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe120⤵PID:924
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe121⤵
- Drops file in System32 directory
PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-