Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 01:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe
-
Size
88KB
-
MD5
78d1eb1648d57216be26bbe8591c84d0
-
SHA1
eaac3125071008cb4154792fbf6753fbd50e8a59
-
SHA256
08701dd2df03b3ec0a7a0a420f3fccc2df4b9552405f0e8e9cc6357fb147a6ee
-
SHA512
f47bd6422a56933514e7c4e6cda71ed8ed0bdd5eae367f019f708811f91e27e59cd9b00d26f4d967018f6d0f1a455b75355724a71ed16307602771969fcfffc3
-
SSDEEP
1536:MizmjZrmKyjN0Ihl59HfhnvcH9O2yrUHW34x1rs8X0zKK4f52Znouy8L:LmNrmVeIhlidOHv321rs8BKLJoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgkbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onecbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohnaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkomchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmbfggdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qododfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpjfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgpkpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbemfbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmglajcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkpknkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpjmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aekqmbod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enbnkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2724 Hcifgjgc.exe 2672 Hlakpp32.exe 2708 Hejoiedd.exe 2812 Hpocfncj.exe 2312 Hellne32.exe 2936 Hacmcfge.exe 1508 Hlhaqogk.exe 2704 Idceea32.exe 2272 Ioijbj32.exe 1568 Idfbkq32.exe 2276 Iokfhi32.exe 688 Ihdkao32.exe 1292 Inqcif32.exe 1168 Igihbknb.exe 2796 Incpoe32.exe 2368 Iqalka32.exe 848 Ifnechbj.exe 1092 Jnemdecl.exe 2252 Jqdipqbp.exe 2344 Jcbellac.exe 552 Jfqahgpg.exe 952 Jiondcpk.exe 1752 Jqfffqpm.exe 1036 Jcdbbloa.exe 1940 Jfcnngnd.exe 1880 Jcgogk32.exe 3012 Jfekcg32.exe 2680 Jicgpb32.exe 2828 Jonplmcb.exe 2440 Jejhecaj.exe 2448 Jifdebic.exe 2940 Joplbl32.exe 2960 Jbnhng32.exe 2760 Kihqkagp.exe 1588 Kaceodek.exe 112 Kcbakpdo.exe 2280 Kgnnln32.exe 1504 Kmjfdejp.exe 624 Kafbec32.exe 836 Kcdnao32.exe 2932 Kmmcjehm.exe 1932 Kcfkfo32.exe 1180 Kjqccigf.exe 2424 Kiccofna.exe 1240 Kpmlkp32.exe 1700 Kblhgk32.exe 2024 Kfgdhjmk.exe 1408 Kmaled32.exe 2032 Lldlqakb.exe 608 Lckdanld.exe 2020 Lemaif32.exe 2420 Lihmjejl.exe 2380 Lpbefoai.exe 2944 Lbqabkql.exe 1220 Lflmci32.exe 2984 Lijjoe32.exe 1912 Lliflp32.exe 1964 Logbhl32.exe 1592 Lbcnhjnj.exe 1552 Leajdfnm.exe 1884 Lhpfqama.exe 2808 Lkncmmle.exe 588 Lecgje32.exe 2340 Lhbcfa32.exe -
Loads dropped DLL 64 IoCs
pid Process 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 2724 Hcifgjgc.exe 2724 Hcifgjgc.exe 2672 Hlakpp32.exe 2672 Hlakpp32.exe 2708 Hejoiedd.exe 2708 Hejoiedd.exe 2812 Hpocfncj.exe 2812 Hpocfncj.exe 2312 Hellne32.exe 2312 Hellne32.exe 2936 Hacmcfge.exe 2936 Hacmcfge.exe 1508 Hlhaqogk.exe 1508 Hlhaqogk.exe 2704 Idceea32.exe 2704 Idceea32.exe 2272 Ioijbj32.exe 2272 Ioijbj32.exe 1568 Idfbkq32.exe 1568 Idfbkq32.exe 2276 Iokfhi32.exe 2276 Iokfhi32.exe 688 Ihdkao32.exe 688 Ihdkao32.exe 1292 Inqcif32.exe 1292 Inqcif32.exe 1168 Igihbknb.exe 1168 Igihbknb.exe 2796 Incpoe32.exe 2796 Incpoe32.exe 2368 Iqalka32.exe 2368 Iqalka32.exe 848 Ifnechbj.exe 848 Ifnechbj.exe 1092 Jnemdecl.exe 1092 Jnemdecl.exe 2252 Jqdipqbp.exe 2252 Jqdipqbp.exe 2344 Jcbellac.exe 2344 Jcbellac.exe 552 Jfqahgpg.exe 552 Jfqahgpg.exe 952 Jiondcpk.exe 952 Jiondcpk.exe 1752 Jqfffqpm.exe 1752 Jqfffqpm.exe 1036 Jcdbbloa.exe 1036 Jcdbbloa.exe 1940 Jfcnngnd.exe 1940 Jfcnngnd.exe 1880 Jcgogk32.exe 1880 Jcgogk32.exe 3012 Jfekcg32.exe 3012 Jfekcg32.exe 2680 Jicgpb32.exe 2680 Jicgpb32.exe 2828 Jonplmcb.exe 2828 Jonplmcb.exe 2440 Jejhecaj.exe 2440 Jejhecaj.exe 2448 Jifdebic.exe 2448 Jifdebic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijmkck32.dll Dkgippgb.exe File opened for modification C:\Windows\SysWOW64\Mapccndn.exe Mnaggcej.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Enkpahon.exe File created C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Lapnnafn.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Bnapob32.dll Aekqmbod.exe File created C:\Windows\SysWOW64\Eohcninh.dll Agjmim32.exe File created C:\Windows\SysWOW64\Fpkjkkdg.dll Qfljkp32.exe File created C:\Windows\SysWOW64\Eikfdl32.exe Process not Found File created C:\Windows\SysWOW64\Lbbjgn32.dll Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Mimemp32.exe Mfoiqe32.exe File opened for modification C:\Windows\SysWOW64\Fjjnan32.exe Fgkbeb32.exe File created C:\Windows\SysWOW64\Cmbjddfk.dll Hihjhl32.exe File created C:\Windows\SysWOW64\Gbpfqb32.dll Nijnln32.exe File opened for modification C:\Windows\SysWOW64\Oehdan32.exe Oalhqohl.exe File created C:\Windows\SysWOW64\Fnpmhc32.dll Process not Found File created C:\Windows\SysWOW64\Delpclld.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hmdmcanc.exe File created C:\Windows\SysWOW64\Kcginj32.exe Process not Found File created C:\Windows\SysWOW64\Igihbknb.exe Inqcif32.exe File created C:\Windows\SysWOW64\Bgmdailj.dll Process not Found File created C:\Windows\SysWOW64\Ogblbo32.exe Olmhdf32.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Aaloddnn.exe File created C:\Windows\SysWOW64\Dbkngi32.dll Process not Found File created C:\Windows\SysWOW64\Alogkm32.dll Hellne32.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Fknjekca.dll Ocgbji32.exe File created C:\Windows\SysWOW64\Gqnfackh.dll Nmnclmoj.exe File created C:\Windows\SysWOW64\Kiebec32.dll Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Lmbonmll.exe Lifbmn32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Pgbhabjp.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Process not Found File created C:\Windows\SysWOW64\Hdihmjpf.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Ciopcmhp.dll Kqqboncb.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Process not Found File created C:\Windows\SysWOW64\Dacpkc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hjcaha32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kihqkagp.exe Jbnhng32.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Aplifb32.exe File created C:\Windows\SysWOW64\Gckainog.dll Dhplhc32.exe File opened for modification C:\Windows\SysWOW64\Ijmipn32.exe Idcacc32.exe File created C:\Windows\SysWOW64\Pcdkif32.exe Pilfpqaa.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Ajqljc32.exe File created C:\Windows\SysWOW64\Enlidg32.exe Process not Found File created C:\Windows\SysWOW64\Adaiee32.exe Process not Found File created C:\Windows\SysWOW64\Qfclkmib.dll Elhnof32.exe File opened for modification C:\Windows\SysWOW64\Lifbmn32.exe Lfhfab32.exe File created C:\Windows\SysWOW64\Cncfcj32.dll Ihbqdh32.exe File created C:\Windows\SysWOW64\Nplfdj32.exe Nianhplq.exe File opened for modification C:\Windows\SysWOW64\Cmbalfem.exe Ckcepj32.exe File created C:\Windows\SysWOW64\Ioeclg32.exe Process not Found File created C:\Windows\SysWOW64\Hciofb32.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Nlhqhm32.dll Gnpmfqap.exe File created C:\Windows\SysWOW64\Abbfnh32.dll Fkmqdpce.exe File created C:\Windows\SysWOW64\Jpjifjdg.exe Process not Found File created C:\Windows\SysWOW64\Mobafhlg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ghcoqh32.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Fcmmdp32.dll Gbqbaofc.exe File opened for modification C:\Windows\SysWOW64\Felajbpg.exe Process not Found File created C:\Windows\SysWOW64\Ohqngjgk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gaojnq32.exe Process not Found File created C:\Windows\SysWOW64\Cehdmo32.dll Dkkbkp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8900 7624 Process not Found 1797 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogllpah.dll" Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jolepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimagi32.dll" Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdobjm32.dll" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjp32.dll" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdcpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heokmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpijcjdl.dll" Jhdihkcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flqmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hloiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcqmj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqcpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llnaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khlili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmfhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doiddc32.dll" Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapfdgmi.dll" Hjdfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcgdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kafbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbdnko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnpmfqap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpgajgeg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2724 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2724 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2724 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2724 2156 78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe 28 PID 2724 wrote to memory of 2672 2724 Hcifgjgc.exe 29 PID 2724 wrote to memory of 2672 2724 Hcifgjgc.exe 29 PID 2724 wrote to memory of 2672 2724 Hcifgjgc.exe 29 PID 2724 wrote to memory of 2672 2724 Hcifgjgc.exe 29 PID 2672 wrote to memory of 2708 2672 Hlakpp32.exe 30 PID 2672 wrote to memory of 2708 2672 Hlakpp32.exe 30 PID 2672 wrote to memory of 2708 2672 Hlakpp32.exe 30 PID 2672 wrote to memory of 2708 2672 Hlakpp32.exe 30 PID 2708 wrote to memory of 2812 2708 Hejoiedd.exe 31 PID 2708 wrote to memory of 2812 2708 Hejoiedd.exe 31 PID 2708 wrote to memory of 2812 2708 Hejoiedd.exe 31 PID 2708 wrote to memory of 2812 2708 Hejoiedd.exe 31 PID 2812 wrote to memory of 2312 2812 Hpocfncj.exe 32 PID 2812 wrote to memory of 2312 2812 Hpocfncj.exe 32 PID 2812 wrote to memory of 2312 2812 Hpocfncj.exe 32 PID 2812 wrote to memory of 2312 2812 Hpocfncj.exe 32 PID 2312 wrote to memory of 2936 2312 Hellne32.exe 33 PID 2312 wrote to memory of 2936 2312 Hellne32.exe 33 PID 2312 wrote to memory of 2936 2312 Hellne32.exe 33 PID 2312 wrote to memory of 2936 2312 Hellne32.exe 33 PID 2936 wrote to memory of 1508 2936 Hacmcfge.exe 34 PID 2936 wrote to memory of 1508 2936 Hacmcfge.exe 34 PID 2936 wrote to memory of 1508 2936 Hacmcfge.exe 34 PID 2936 wrote to memory of 1508 2936 Hacmcfge.exe 34 PID 1508 wrote to memory of 2704 1508 Hlhaqogk.exe 35 PID 1508 wrote to memory of 2704 1508 Hlhaqogk.exe 35 PID 1508 wrote to memory of 2704 1508 Hlhaqogk.exe 35 PID 1508 wrote to memory of 2704 1508 Hlhaqogk.exe 35 PID 2704 wrote to memory of 2272 2704 Idceea32.exe 36 PID 2704 wrote to memory of 2272 2704 Idceea32.exe 36 PID 2704 wrote to memory of 2272 2704 Idceea32.exe 36 PID 2704 wrote to memory of 2272 2704 Idceea32.exe 36 PID 2272 wrote to memory of 1568 2272 Ioijbj32.exe 37 PID 2272 wrote to memory of 1568 2272 Ioijbj32.exe 37 PID 2272 wrote to memory of 1568 2272 Ioijbj32.exe 37 PID 2272 wrote to memory of 1568 2272 Ioijbj32.exe 37 PID 1568 wrote to memory of 2276 1568 Idfbkq32.exe 38 PID 1568 wrote to memory of 2276 1568 Idfbkq32.exe 38 PID 1568 wrote to memory of 2276 1568 Idfbkq32.exe 38 PID 1568 wrote to memory of 2276 1568 Idfbkq32.exe 38 PID 2276 wrote to memory of 688 2276 Iokfhi32.exe 39 PID 2276 wrote to memory of 688 2276 Iokfhi32.exe 39 PID 2276 wrote to memory of 688 2276 Iokfhi32.exe 39 PID 2276 wrote to memory of 688 2276 Iokfhi32.exe 39 PID 688 wrote to memory of 1292 688 Ihdkao32.exe 40 PID 688 wrote to memory of 1292 688 Ihdkao32.exe 40 PID 688 wrote to memory of 1292 688 Ihdkao32.exe 40 PID 688 wrote to memory of 1292 688 Ihdkao32.exe 40 PID 1292 wrote to memory of 1168 1292 Inqcif32.exe 41 PID 1292 wrote to memory of 1168 1292 Inqcif32.exe 41 PID 1292 wrote to memory of 1168 1292 Inqcif32.exe 41 PID 1292 wrote to memory of 1168 1292 Inqcif32.exe 41 PID 1168 wrote to memory of 2796 1168 Igihbknb.exe 42 PID 1168 wrote to memory of 2796 1168 Igihbknb.exe 42 PID 1168 wrote to memory of 2796 1168 Igihbknb.exe 42 PID 1168 wrote to memory of 2796 1168 Igihbknb.exe 42 PID 2796 wrote to memory of 2368 2796 Incpoe32.exe 43 PID 2796 wrote to memory of 2368 2796 Incpoe32.exe 43 PID 2796 wrote to memory of 2368 2796 Incpoe32.exe 43 PID 2796 wrote to memory of 2368 2796 Incpoe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78d1eb1648d57216be26bbe8591c84d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe33⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe36⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe37⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe38⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe39⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe41⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe42⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe43⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe44⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe45⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe46⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe48⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe51⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe52⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe53⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe54⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe56⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe57⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe58⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe60⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe61⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe62⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe64⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe65⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe66⤵PID:812
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe68⤵PID:1308
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe69⤵PID:2056
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe71⤵PID:1112
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe72⤵PID:2684
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe73⤵PID:3044
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe74⤵PID:2552
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe75⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe76⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe77⤵PID:2556
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe78⤵PID:1204
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe79⤵PID:2284
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe80⤵PID:2804
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe82⤵PID:2816
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe83⤵PID:3008
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe84⤵PID:448
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe85⤵PID:1656
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe86⤵PID:2756
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe87⤵PID:1460
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe88⤵PID:2632
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe89⤵PID:2460
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe90⤵PID:2692
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe91⤵PID:2584
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe92⤵PID:1892
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe93⤵PID:1596
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe94⤵PID:2364
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe95⤵PID:1680
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe96⤵PID:2336
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe97⤵PID:852
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe98⤵PID:1516
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe99⤵PID:2872
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe100⤵PID:2432
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe101⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe103⤵PID:2196
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe104⤵PID:2604
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe105⤵PID:2768
-
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe106⤵PID:1392
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe107⤵PID:2580
-
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe108⤵PID:2952
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe109⤵PID:1264
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe112⤵PID:2392
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe114⤵PID:1832
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe116⤵PID:1676
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe117⤵PID:1448
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe118⤵PID:1968
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe119⤵PID:2220
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe120⤵PID:916
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe121⤵
- Drops file in System32 directory
PID:2068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-