Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 19:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe
-
Size
483KB
-
MD5
11aa1d59a3b5626a6a5c04ab3ad2e610
-
SHA1
acf9eae420c41616171408172b6d68389991edae
-
SHA256
ebfa594dd6a7f8dccf1588621fb1fa050748e3dc891a1eaee0f4592c0d6507f0
-
SHA512
8ec71eac9af20fd222b0b0b1db1cec1d467bfdb0e5ca3535c58971875f94681a94a5d472ef417d6fae0132b8be2905767b48b9b906ff6d144b5326a9fe3fcec6
-
SSDEEP
6144:p4AUmKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTDpL1k38:mptY5vARM0RM/3ARMSG0dhvARMoHG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplkfgoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgenhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccfge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfijjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odegpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklanp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfeimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgenhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnplpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe -
Executes dropped EXE 64 IoCs
pid Process 1828 Icjfhn32.exe 2112 Ikekmq32.exe 2676 Imeggc32.exe 2592 Ibapoj32.exe 2508 Jkjdhpea.exe 2464 Jklanp32.exe 2968 Jbfijjkl.exe 2520 Jaiiff32.exe 2196 Jgenhp32.exe 1404 Jpqclb32.exe 2840 Jjfgjk32.exe 864 Kpcpbb32.exe 1568 Kpemgbqf.exe 1440 Kebepion.exe 2072 Kphimanc.exe 336 Kbfeimng.exe 1112 Kjcgco32.exe 2056 Koocdnai.exe 1824 Kanopipl.exe 2176 Lhggmchi.exe 964 Lmdpejfq.exe 2412 Lhjdbcef.exe 2244 Lkhpnnej.exe 904 Lmgmjjdn.exe 3044 Lpeifeca.exe 1588 Lkkmdn32.exe 1616 Lmiipi32.exe 2716 Lpgele32.exe 3052 Lbfahp32.exe 2632 Lchnnp32.exe 2732 Lgdjnofi.exe 2512 Libgjj32.exe 2588 Loooca32.exe 2988 Meigpkka.exe 2824 Moalhq32.exe 2568 Mcmhiojk.exe 1656 Maphdl32.exe 2756 Mekdekin.exe 2360 Mcodno32.exe 1660 Mlgigdoh.exe 2084 Mepnpj32.exe 2724 Mhnjle32.exe 1792 Mohbip32.exe 1796 Mpjoqhah.exe 1880 Mpjoqhah.exe 848 Mhqfbebj.exe 2296 Njbcim32.exe 1196 Nnnojlpa.exe 2136 Nplkfgoe.exe 1580 Ngfcca32.exe 2292 Nkaocp32.exe 2668 Nnplpl32.exe 2628 Npnhlg32.exe 1816 Ncmdhb32.exe 2524 Njgldmdc.exe 2484 Nnbhek32.exe 2804 Nocemcbj.exe 2944 Nfmmin32.exe 2848 Njiijlbp.exe 1680 Nlgefh32.exe 1664 Nofabc32.exe 2536 Njkfpl32.exe 692 Nhnfkigh.exe 1168 Nkmbgdfl.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 1828 Icjfhn32.exe 1828 Icjfhn32.exe 2112 Ikekmq32.exe 2112 Ikekmq32.exe 2676 Imeggc32.exe 2676 Imeggc32.exe 2592 Ibapoj32.exe 2592 Ibapoj32.exe 2508 Jkjdhpea.exe 2508 Jkjdhpea.exe 2464 Jklanp32.exe 2464 Jklanp32.exe 2968 Jbfijjkl.exe 2968 Jbfijjkl.exe 2520 Jaiiff32.exe 2520 Jaiiff32.exe 2196 Jgenhp32.exe 2196 Jgenhp32.exe 1404 Jpqclb32.exe 1404 Jpqclb32.exe 2840 Jjfgjk32.exe 2840 Jjfgjk32.exe 864 Kpcpbb32.exe 864 Kpcpbb32.exe 1568 Kpemgbqf.exe 1568 Kpemgbqf.exe 1440 Kebepion.exe 1440 Kebepion.exe 2072 Kphimanc.exe 2072 Kphimanc.exe 336 Kbfeimng.exe 336 Kbfeimng.exe 1112 Kjcgco32.exe 1112 Kjcgco32.exe 2056 Koocdnai.exe 2056 Koocdnai.exe 1824 Kanopipl.exe 1824 Kanopipl.exe 2176 Lhggmchi.exe 2176 Lhggmchi.exe 964 Lmdpejfq.exe 964 Lmdpejfq.exe 2412 Lhjdbcef.exe 2412 Lhjdbcef.exe 2244 Lkhpnnej.exe 2244 Lkhpnnej.exe 904 Lmgmjjdn.exe 904 Lmgmjjdn.exe 3044 Lpeifeca.exe 3044 Lpeifeca.exe 1588 Lkkmdn32.exe 1588 Lkkmdn32.exe 1616 Lmiipi32.exe 1616 Lmiipi32.exe 2716 Lpgele32.exe 2716 Lpgele32.exe 3052 Lbfahp32.exe 3052 Lbfahp32.exe 2632 Lchnnp32.exe 2632 Lchnnp32.exe 2732 Lgdjnofi.exe 2732 Lgdjnofi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdjgej32.dll Peiljl32.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dodonf32.exe File created C:\Windows\SysWOW64\Elbepj32.dll Djpmccqq.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Bogjdl32.dll Jklanp32.exe File opened for modification C:\Windows\SysWOW64\Mcmhiojk.exe Moalhq32.exe File created C:\Windows\SysWOW64\Bagmdc32.dll Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Kpcpbb32.exe Jjfgjk32.exe File created C:\Windows\SysWOW64\Lhggmchi.exe Kanopipl.exe File created C:\Windows\SysWOW64\Maphdl32.exe Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Njkfpl32.exe Nofabc32.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Fcmgfkeg.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Aoffmd32.exe Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Jgenhp32.exe Jaiiff32.exe File created C:\Windows\SysWOW64\Kagdplnm.dll Mpjoqhah.exe File created C:\Windows\SysWOW64\Nnplpl32.exe Nkaocp32.exe File created C:\Windows\SysWOW64\Amdgnl32.dll Nnbhek32.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Njkfpl32.exe File created C:\Windows\SysWOW64\Oicpfh32.exe Odgcfijj.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qjmkcbcb.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Jbfijjkl.exe Jklanp32.exe File created C:\Windows\SysWOW64\Nnnojlpa.exe Njbcim32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bloqah32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Nnbhek32.exe Njgldmdc.exe File opened for modification C:\Windows\SysWOW64\Paejki32.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Ppjglfon.exe Pipopl32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Ocjcidbb.dll Gbijhg32.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Abpfhcje.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Fddmgjpo.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gkihhhnm.exe File created C:\Windows\SysWOW64\Ebhepm32.dll Nnplpl32.exe File created C:\Windows\SysWOW64\Iffhidee.dll Npnhlg32.exe File created C:\Windows\SysWOW64\Dhjfhhen.dll Okoomd32.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Apajlhka.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Ennaieib.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Ekchhcnp.dll Paejki32.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Ifclcknc.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Kpikfj32.dll Adeplhib.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File created C:\Windows\SysWOW64\Pacebaej.dll Begeknan.exe File created C:\Windows\SysWOW64\Cfinoq32.exe Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Kpemgbqf.exe Kpcpbb32.exe File created C:\Windows\SysWOW64\Jkkilgnq.dll Mohbip32.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Dbbkja32.exe File created C:\Windows\SysWOW64\Gcmjhbal.dll Ennaieib.exe File created C:\Windows\SysWOW64\Jbfijjkl.exe Jklanp32.exe File created C:\Windows\SysWOW64\Npfpmgon.dll Kphimanc.exe File created C:\Windows\SysWOW64\Lcgjec32.dll Libgjj32.exe File opened for modification C:\Windows\SysWOW64\Maphdl32.exe Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Odjpkihg.exe Oomhcbjp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3320 3348 WerFault.exe 263 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhggmchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhebk32.dll" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfbll32.dll" Lmiipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppamme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gbijhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqkcl32.dll" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjccnjpk.dll" Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpqclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfgfm32.dll" Kanopipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfecaop.dll" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhjfhhen.dll" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjfhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njkfpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmdpejfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Odjpkihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahaloofd.dll" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobbhfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedlancd.dll" Ohqbqhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqqapjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1828 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 28 PID 2548 wrote to memory of 1828 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 28 PID 2548 wrote to memory of 1828 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 28 PID 2548 wrote to memory of 1828 2548 11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe 28 PID 1828 wrote to memory of 2112 1828 Icjfhn32.exe 29 PID 1828 wrote to memory of 2112 1828 Icjfhn32.exe 29 PID 1828 wrote to memory of 2112 1828 Icjfhn32.exe 29 PID 1828 wrote to memory of 2112 1828 Icjfhn32.exe 29 PID 2112 wrote to memory of 2676 2112 Ikekmq32.exe 30 PID 2112 wrote to memory of 2676 2112 Ikekmq32.exe 30 PID 2112 wrote to memory of 2676 2112 Ikekmq32.exe 30 PID 2112 wrote to memory of 2676 2112 Ikekmq32.exe 30 PID 2676 wrote to memory of 2592 2676 Imeggc32.exe 31 PID 2676 wrote to memory of 2592 2676 Imeggc32.exe 31 PID 2676 wrote to memory of 2592 2676 Imeggc32.exe 31 PID 2676 wrote to memory of 2592 2676 Imeggc32.exe 31 PID 2592 wrote to memory of 2508 2592 Ibapoj32.exe 32 PID 2592 wrote to memory of 2508 2592 Ibapoj32.exe 32 PID 2592 wrote to memory of 2508 2592 Ibapoj32.exe 32 PID 2592 wrote to memory of 2508 2592 Ibapoj32.exe 32 PID 2508 wrote to memory of 2464 2508 Jkjdhpea.exe 33 PID 2508 wrote to memory of 2464 2508 Jkjdhpea.exe 33 PID 2508 wrote to memory of 2464 2508 Jkjdhpea.exe 33 PID 2508 wrote to memory of 2464 2508 Jkjdhpea.exe 33 PID 2464 wrote to memory of 2968 2464 Jklanp32.exe 34 PID 2464 wrote to memory of 2968 2464 Jklanp32.exe 34 PID 2464 wrote to memory of 2968 2464 Jklanp32.exe 34 PID 2464 wrote to memory of 2968 2464 Jklanp32.exe 34 PID 2968 wrote to memory of 2520 2968 Jbfijjkl.exe 35 PID 2968 wrote to memory of 2520 2968 Jbfijjkl.exe 35 PID 2968 wrote to memory of 2520 2968 Jbfijjkl.exe 35 PID 2968 wrote to memory of 2520 2968 Jbfijjkl.exe 35 PID 2520 wrote to memory of 2196 2520 Jaiiff32.exe 36 PID 2520 wrote to memory of 2196 2520 Jaiiff32.exe 36 PID 2520 wrote to memory of 2196 2520 Jaiiff32.exe 36 PID 2520 wrote to memory of 2196 2520 Jaiiff32.exe 36 PID 2196 wrote to memory of 1404 2196 Jgenhp32.exe 37 PID 2196 wrote to memory of 1404 2196 Jgenhp32.exe 37 PID 2196 wrote to memory of 1404 2196 Jgenhp32.exe 37 PID 2196 wrote to memory of 1404 2196 Jgenhp32.exe 37 PID 1404 wrote to memory of 2840 1404 Jpqclb32.exe 38 PID 1404 wrote to memory of 2840 1404 Jpqclb32.exe 38 PID 1404 wrote to memory of 2840 1404 Jpqclb32.exe 38 PID 1404 wrote to memory of 2840 1404 Jpqclb32.exe 38 PID 2840 wrote to memory of 864 2840 Jjfgjk32.exe 39 PID 2840 wrote to memory of 864 2840 Jjfgjk32.exe 39 PID 2840 wrote to memory of 864 2840 Jjfgjk32.exe 39 PID 2840 wrote to memory of 864 2840 Jjfgjk32.exe 39 PID 864 wrote to memory of 1568 864 Kpcpbb32.exe 40 PID 864 wrote to memory of 1568 864 Kpcpbb32.exe 40 PID 864 wrote to memory of 1568 864 Kpcpbb32.exe 40 PID 864 wrote to memory of 1568 864 Kpcpbb32.exe 40 PID 1568 wrote to memory of 1440 1568 Kpemgbqf.exe 41 PID 1568 wrote to memory of 1440 1568 Kpemgbqf.exe 41 PID 1568 wrote to memory of 1440 1568 Kpemgbqf.exe 41 PID 1568 wrote to memory of 1440 1568 Kpemgbqf.exe 41 PID 1440 wrote to memory of 2072 1440 Kebepion.exe 42 PID 1440 wrote to memory of 2072 1440 Kebepion.exe 42 PID 1440 wrote to memory of 2072 1440 Kebepion.exe 42 PID 1440 wrote to memory of 2072 1440 Kebepion.exe 42 PID 2072 wrote to memory of 336 2072 Kphimanc.exe 43 PID 2072 wrote to memory of 336 2072 Kphimanc.exe 43 PID 2072 wrote to memory of 336 2072 Kphimanc.exe 43 PID 2072 wrote to memory of 336 2072 Kphimanc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11aa1d59a3b5626a6a5c04ab3ad2e610_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe35⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe43⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe45⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe51⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe66⤵PID:2396
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe71⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe72⤵PID:580
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe73⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe74⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe75⤵PID:2540
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe76⤵PID:1448
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe78⤵PID:3000
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe79⤵PID:1980
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe80⤵PID:112
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe81⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe82⤵PID:2152
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe83⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe84⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe86⤵PID:2144
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe88⤵PID:2872
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe90⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe92⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe94⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe95⤵PID:1608
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe96⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe99⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe100⤵PID:552
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe101⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe102⤵PID:2604
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe103⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe104⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe105⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe106⤵PID:2424
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe107⤵PID:1228
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe108⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe109⤵PID:1624
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe110⤵PID:1640
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe111⤵
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe112⤵PID:892
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe113⤵PID:2680
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe115⤵PID:2496
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe116⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe117⤵PID:1560
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe118⤵PID:2792
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe119⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe120⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-