Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe
-
Size
299KB
-
MD5
2d2c65c5c3355a417608f78adb994680
-
SHA1
980fb86c3b5f77505640e6098a9814592ce366fd
-
SHA256
e0f1ba7a4d740e6a2460d64aa51c32e917a03381fc5a12ee21e4ae2977c4e4af
-
SHA512
8985d258f41a122c64fd431c984a0e25f42fa8a9e55d6b6cd7d0cdf35d83eb51b06d1edeb7110254ac8263cd32c629385ea1d24f1cbb49397266561a3a982da5
-
SSDEEP
3072:E+dxGaWcOGrfILefUEdmjRrz3TIUV4BKxAcL5CY2VePI8C3U/XYMJ2okZkRPKc4S:E6BOcJ8EdGTBki5CYtI8TAokZ2EA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njhilimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqcjlhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amoibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keeeje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkbfdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daipqhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhoeii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njeelc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlkik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqbejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlelda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nomkfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daaenlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdihiook.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinpnged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgcmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmbqgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggfpgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioakoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fajbke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eacghhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhilph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckolek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdjcjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njalacon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glchpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpabcbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpmjcg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Fjjnan32.exe 2520 Giahhj32.exe 2480 Gmoqnhla.exe 2696 Gbnflo32.exe 2368 Gacbmk32.exe 2444 Gmjcblbb.exe 2100 Hnjplo32.exe 564 Hmomml32.exe 1252 Hfjnla32.exe 2184 Ieagbm32.exe 2024 Ikpmpc32.exe 1648 Iefamlak.exe 884 Ionefb32.exe 2588 Iihfgp32.exe 2960 Idmkdh32.exe 2256 Jdpgjhbm.exe 2848 Jjomgo32.exe 832 Jajala32.exe 1512 Jkbfdfbm.exe 1620 Jhffnk32.exe 1980 Kncofa32.exe 1072 Kkgopf32.exe 1676 Kqdhhm32.exe 2088 Kkileele.exe 2824 Knhhaaki.exe 1164 Kklikejc.exe 2940 Kqiaclhj.exe 1896 Kjaelaok.exe 2080 Lopkjhko.exe 2868 Lobgoh32.exe 2700 Lflplbpi.exe 2516 Liklhmom.exe 2396 Liminmmk.exe 2392 Lnjafd32.exe 2348 Llnaoh32.exe 696 Mbhjlbbh.exe 2176 Mgebdipp.exe 1476 Mamgmofp.exe 2280 Mfjoeeeh.exe 1936 Mmdgbp32.exe 2304 Mhilph32.exe 2724 Mmfdhojb.exe 1128 Mpgmijgc.exe 2132 Nfcbldmm.exe 1572 Nblpfepo.exe 976 Ndnlnm32.exe 1976 Nocpkf32.exe 2728 Nhlddkmc.exe 1120 Noemqe32.exe 1760 Odbeilbg.exe 1608 Oklnff32.exe 240 Omkjbb32.exe 2476 Odebolpe.exe 2484 Ogcnkgoh.exe 1740 Opkccm32.exe 2404 Ogekpg32.exe 1556 Olbchn32.exe 2772 Ohidmoaa.exe 2032 Ocohkh32.exe 1632 Ohkaco32.exe 2664 Pcaepg32.exe 2044 Phnnho32.exe 1592 Pohfehdi.exe 2912 Pgckjk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 2216 Fjjnan32.exe 2216 Fjjnan32.exe 2520 Giahhj32.exe 2520 Giahhj32.exe 2480 Gmoqnhla.exe 2480 Gmoqnhla.exe 2696 Gbnflo32.exe 2696 Gbnflo32.exe 2368 Gacbmk32.exe 2368 Gacbmk32.exe 2444 Gmjcblbb.exe 2444 Gmjcblbb.exe 2100 Hnjplo32.exe 2100 Hnjplo32.exe 564 Hmomml32.exe 564 Hmomml32.exe 1252 Hfjnla32.exe 1252 Hfjnla32.exe 2184 Ieagbm32.exe 2184 Ieagbm32.exe 2024 Ikpmpc32.exe 2024 Ikpmpc32.exe 1648 Iefamlak.exe 1648 Iefamlak.exe 884 Ionefb32.exe 884 Ionefb32.exe 2588 Iihfgp32.exe 2588 Iihfgp32.exe 2960 Idmkdh32.exe 2960 Idmkdh32.exe 2256 Jdpgjhbm.exe 2256 Jdpgjhbm.exe 2848 Jjomgo32.exe 2848 Jjomgo32.exe 832 Jajala32.exe 832 Jajala32.exe 1512 Jkbfdfbm.exe 1512 Jkbfdfbm.exe 1620 Jhffnk32.exe 1620 Jhffnk32.exe 1980 Kncofa32.exe 1980 Kncofa32.exe 1072 Kkgopf32.exe 1072 Kkgopf32.exe 1676 Kqdhhm32.exe 1676 Kqdhhm32.exe 2088 Kkileele.exe 2088 Kkileele.exe 2824 Knhhaaki.exe 2824 Knhhaaki.exe 1164 Kklikejc.exe 1164 Kklikejc.exe 2940 Kqiaclhj.exe 2940 Kqiaclhj.exe 1896 Kjaelaok.exe 1896 Kjaelaok.exe 2080 Lopkjhko.exe 2080 Lopkjhko.exe 2868 Lobgoh32.exe 2868 Lobgoh32.exe 2700 Lflplbpi.exe 2700 Lflplbpi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coikpclh.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Jianlbkj.dll Kgfoie32.exe File created C:\Windows\SysWOW64\Ekdehk32.dll Fhdjgoha.exe File created C:\Windows\SysWOW64\Hnngcook.dll Clefdcog.exe File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Pmhgba32.exe File created C:\Windows\SysWOW64\Baboljno.dll Dkbbinig.exe File created C:\Windows\SysWOW64\Omkicqkc.dll Keoabo32.exe File created C:\Windows\SysWOW64\Jenndm32.dll Oggeokoq.exe File opened for modification C:\Windows\SysWOW64\Pgcmbcih.exe Pmkhjncg.exe File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe Ahebaiac.exe File opened for modification C:\Windows\SysWOW64\Gaojnq32.exe Goqnae32.exe File created C:\Windows\SysWOW64\Ncamen32.exe Nqbaic32.exe File opened for modification C:\Windows\SysWOW64\Phaoppja.exe Paggce32.exe File opened for modification C:\Windows\SysWOW64\Dfpcblfp.exe Dcageqgm.exe File created C:\Windows\SysWOW64\Jodhdp32.exe Iigpli32.exe File created C:\Windows\SysWOW64\Fmkilb32.exe Fogibnha.exe File created C:\Windows\SysWOW64\Gkglnm32.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Hpfnbh32.dll Fleifl32.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qaablcej.exe File created C:\Windows\SysWOW64\Dqfabdaf.exe Djmiejji.exe File created C:\Windows\SysWOW64\Imiigiab.exe Ifoqjo32.exe File created C:\Windows\SysWOW64\Opfmmcec.dll Fchkbg32.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File opened for modification C:\Windows\SysWOW64\Felcbk32.exe Fbngfo32.exe File created C:\Windows\SysWOW64\Glfgnh32.exe Geloanjg.exe File created C:\Windows\SysWOW64\Cnflae32.exe Cglcek32.exe File opened for modification C:\Windows\SysWOW64\Gmjcblbb.exe Gacbmk32.exe File created C:\Windows\SysWOW64\Kjaelaok.exe Kqiaclhj.exe File created C:\Windows\SysWOW64\Gqdgom32.exe Gglbfg32.exe File opened for modification C:\Windows\SysWOW64\Ghaeoe32.exe Gmlablaa.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Pldebkhj.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Hclfag32.exe Hmbndmkb.exe File created C:\Windows\SysWOW64\Apkihofl.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Lpcafg32.dll Appbcn32.exe File opened for modification C:\Windows\SysWOW64\Hhmhcigh.exe Gcppkbia.exe File created C:\Windows\SysWOW64\Mqpkpl32.dll Efhcej32.exe File created C:\Windows\SysWOW64\Fikelhib.exe Ffmipmjn.exe File created C:\Windows\SysWOW64\Iijbfecp.dll Jkpbdq32.exe File created C:\Windows\SysWOW64\Dldlhdpl.dll Kdklfe32.exe File created C:\Windows\SysWOW64\Egncgo32.dll Ohfcfb32.exe File created C:\Windows\SysWOW64\Okmjae32.dll Pddjlb32.exe File created C:\Windows\SysWOW64\Caefkh32.dll Dcdkef32.exe File created C:\Windows\SysWOW64\Kkifia32.dll Ebnabb32.exe File opened for modification C:\Windows\SysWOW64\Mblbnj32.exe Momfan32.exe File created C:\Windows\SysWOW64\Dbabho32.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Aboaff32.exe Agjmim32.exe File created C:\Windows\SysWOW64\Bplhnoej.exe Bibpad32.exe File opened for modification C:\Windows\SysWOW64\Lbicoamh.exe Liqoflfh.exe File created C:\Windows\SysWOW64\Difnaqih.exe Daofpchf.exe File created C:\Windows\SysWOW64\Emagacdm.exe Eggndi32.exe File created C:\Windows\SysWOW64\Olfcfe32.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kekkiq32.exe File opened for modification C:\Windows\SysWOW64\Dgcmod32.exe Deeqch32.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Cnabffeo.exe File opened for modification C:\Windows\SysWOW64\Dmmbge32.exe Dgqion32.exe File created C:\Windows\SysWOW64\Hfenefej.dll Edidqf32.exe File created C:\Windows\SysWOW64\Gmlablaa.exe Ggbieb32.exe File created C:\Windows\SysWOW64\Fhglop32.exe Fmbgageq.exe File created C:\Windows\SysWOW64\Kbnclf32.dll Jofejpmc.exe File opened for modification C:\Windows\SysWOW64\Eknmhk32.exe Eddeladm.exe File created C:\Windows\SysWOW64\Diodocki.dll Ijaaae32.exe File created C:\Windows\SysWOW64\Iclbpj32.exe Ijcngenj.exe File created C:\Windows\SysWOW64\Nqeapo32.exe Mgmmfjip.exe -
Program crash 1 IoCs
pid pid_target Process 2984 5920 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejop32.dll" Ljieppcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjlbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqejl32.dll" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldhk32.dll" Nqeapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahadcefi.dll" Dgcmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egldgl32.dll" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcohdeco.dll" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkacflm.dll" Nblpfepo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgofhlp.dll" Hgkfal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghanagbo.dll" Llmmpcfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojkeah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfmiaej.dll" Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejobie32.dll" Ceeieced.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhilph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhigkm32.dll" Oajndh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elkofg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fglfgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lflplbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjpdhifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opodknco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfmafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfcbldmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioljnm32.dll" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll" Giolnomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alodeacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekcaonhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nomkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aepbmhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdepqif.dll" Geloanjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgebdipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiedd32.dll" Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aollokco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjpeiak.dll" Ojpomh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2216 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 28 PID 2804 wrote to memory of 2216 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 28 PID 2804 wrote to memory of 2216 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 28 PID 2804 wrote to memory of 2216 2804 2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe 28 PID 2216 wrote to memory of 2520 2216 Fjjnan32.exe 29 PID 2216 wrote to memory of 2520 2216 Fjjnan32.exe 29 PID 2216 wrote to memory of 2520 2216 Fjjnan32.exe 29 PID 2216 wrote to memory of 2520 2216 Fjjnan32.exe 29 PID 2520 wrote to memory of 2480 2520 Giahhj32.exe 30 PID 2520 wrote to memory of 2480 2520 Giahhj32.exe 30 PID 2520 wrote to memory of 2480 2520 Giahhj32.exe 30 PID 2520 wrote to memory of 2480 2520 Giahhj32.exe 30 PID 2480 wrote to memory of 2696 2480 Gmoqnhla.exe 31 PID 2480 wrote to memory of 2696 2480 Gmoqnhla.exe 31 PID 2480 wrote to memory of 2696 2480 Gmoqnhla.exe 31 PID 2480 wrote to memory of 2696 2480 Gmoqnhla.exe 31 PID 2696 wrote to memory of 2368 2696 Gbnflo32.exe 32 PID 2696 wrote to memory of 2368 2696 Gbnflo32.exe 32 PID 2696 wrote to memory of 2368 2696 Gbnflo32.exe 32 PID 2696 wrote to memory of 2368 2696 Gbnflo32.exe 32 PID 2368 wrote to memory of 2444 2368 Gacbmk32.exe 33 PID 2368 wrote to memory of 2444 2368 Gacbmk32.exe 33 PID 2368 wrote to memory of 2444 2368 Gacbmk32.exe 33 PID 2368 wrote to memory of 2444 2368 Gacbmk32.exe 33 PID 2444 wrote to memory of 2100 2444 Gmjcblbb.exe 34 PID 2444 wrote to memory of 2100 2444 Gmjcblbb.exe 34 PID 2444 wrote to memory of 2100 2444 Gmjcblbb.exe 34 PID 2444 wrote to memory of 2100 2444 Gmjcblbb.exe 34 PID 2100 wrote to memory of 564 2100 Hnjplo32.exe 35 PID 2100 wrote to memory of 564 2100 Hnjplo32.exe 35 PID 2100 wrote to memory of 564 2100 Hnjplo32.exe 35 PID 2100 wrote to memory of 564 2100 Hnjplo32.exe 35 PID 564 wrote to memory of 1252 564 Hmomml32.exe 36 PID 564 wrote to memory of 1252 564 Hmomml32.exe 36 PID 564 wrote to memory of 1252 564 Hmomml32.exe 36 PID 564 wrote to memory of 1252 564 Hmomml32.exe 36 PID 1252 wrote to memory of 2184 1252 Hfjnla32.exe 37 PID 1252 wrote to memory of 2184 1252 Hfjnla32.exe 37 PID 1252 wrote to memory of 2184 1252 Hfjnla32.exe 37 PID 1252 wrote to memory of 2184 1252 Hfjnla32.exe 37 PID 2184 wrote to memory of 2024 2184 Ieagbm32.exe 38 PID 2184 wrote to memory of 2024 2184 Ieagbm32.exe 38 PID 2184 wrote to memory of 2024 2184 Ieagbm32.exe 38 PID 2184 wrote to memory of 2024 2184 Ieagbm32.exe 38 PID 2024 wrote to memory of 1648 2024 Ikpmpc32.exe 39 PID 2024 wrote to memory of 1648 2024 Ikpmpc32.exe 39 PID 2024 wrote to memory of 1648 2024 Ikpmpc32.exe 39 PID 2024 wrote to memory of 1648 2024 Ikpmpc32.exe 39 PID 1648 wrote to memory of 884 1648 Iefamlak.exe 40 PID 1648 wrote to memory of 884 1648 Iefamlak.exe 40 PID 1648 wrote to memory of 884 1648 Iefamlak.exe 40 PID 1648 wrote to memory of 884 1648 Iefamlak.exe 40 PID 884 wrote to memory of 2588 884 Ionefb32.exe 41 PID 884 wrote to memory of 2588 884 Ionefb32.exe 41 PID 884 wrote to memory of 2588 884 Ionefb32.exe 41 PID 884 wrote to memory of 2588 884 Ionefb32.exe 41 PID 2588 wrote to memory of 2960 2588 Iihfgp32.exe 42 PID 2588 wrote to memory of 2960 2588 Iihfgp32.exe 42 PID 2588 wrote to memory of 2960 2588 Iihfgp32.exe 42 PID 2588 wrote to memory of 2960 2588 Iihfgp32.exe 42 PID 2960 wrote to memory of 2256 2960 Idmkdh32.exe 43 PID 2960 wrote to memory of 2256 2960 Idmkdh32.exe 43 PID 2960 wrote to memory of 2256 2960 Idmkdh32.exe 43 PID 2960 wrote to memory of 2256 2960 Idmkdh32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d2c65c5c3355a417608f78adb994680_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe34⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe35⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe37⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe39⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe40⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe41⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe43⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe44⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe49⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe50⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe53⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe55⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe57⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe58⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe60⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe62⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe63⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe64⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe65⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:948 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe67⤵PID:956
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe68⤵PID:1748
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe70⤵PID:2172
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe71⤵PID:1508
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe73⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe74⤵PID:2616
-
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe75⤵PID:2028
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe76⤵PID:2468
-
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe77⤵PID:324
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe78⤵PID:1932
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe79⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe80⤵PID:2492
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe81⤵PID:2428
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe82⤵PID:2628
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe83⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe84⤵PID:2312
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe85⤵PID:2832
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe86⤵PID:2060
-
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe87⤵PID:1624
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe88⤵PID:2116
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe90⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe91⤵PID:2340
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe93⤵PID:3016
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe94⤵PID:2780
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe95⤵PID:2136
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe96⤵PID:1324
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe97⤵PID:2120
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe98⤵PID:1548
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe99⤵PID:1112
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe101⤵PID:2636
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe103⤵PID:1696
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe104⤵PID:1972
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe105⤵PID:2540
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe106⤵PID:1392
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe107⤵PID:572
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe110⤵PID:2764
-
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe111⤵PID:836
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe112⤵PID:1156
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe114⤵PID:1992
-
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe115⤵PID:776
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe116⤵PID:2424
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe117⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe118⤵PID:1308
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe119⤵PID:1488
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe120⤵PID:2264
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe121⤵PID:2276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-