Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe
-
Size
120KB
-
MD5
cb14769b56c297fe663607d35d2e8520
-
SHA1
5bd5a5e867fda721de20813a6552e52353dd8003
-
SHA256
40d60300204478f975055ea93664e94cd733cb5dc2738b4bfedf2dfd5acf0d74
-
SHA512
fce2a67810bca24ca8ca20d093514c529eb9385890a6a7520899b97bb5a5dc531fd69086a2464f6048b2cd70bffc9cb694f35c65f8783a523d1bd949395a9af2
-
SSDEEP
3072:qM8QMtGvnwTqYSOz5mlecPUKfDp3i/mjRrz3C:4tUw7SOz2e8Uwp3i/GC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lodlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dliijipn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhkdeggl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpemgbqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabejlob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdlkld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqafgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikbgmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meigpkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penfelgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe -
Executes dropped EXE 64 IoCs
pid Process 2384 Jfhocmnk.exe 2140 Jancafna.exe 2708 Jfkkimlh.exe 2480 Jiigehkl.exe 2776 Kcolba32.exe 2648 Kfmhol32.exe 2644 Kikdkh32.exe 2392 Kpemgbqf.exe 944 Kfoedl32.exe 2420 Kinaqg32.exe 940 Kphimanc.exe 2688 Kfaajlfp.exe 1600 Kipnfged.exe 2188 Klnjbbdh.exe 2184 Kbhbom32.exe 688 Kegnkh32.exe 2452 Kjcgco32.exe 2252 Kbkodl32.exe 2368 Keikqhhe.exe 1028 Kdlkld32.exe 2080 Llccmb32.exe 2212 Loapim32.exe 564 Laplei32.exe 2064 Lhjdbcef.exe 2200 Lodlom32.exe 1612 Labhkh32.exe 3032 Lhlqhb32.exe 2568 Lkkmdn32.exe 2616 Lmiipi32.exe 2628 Lbfahp32.exe 2732 Lganiohl.exe 2748 Lipjejgp.exe 2540 Ldenbcge.exe 2992 Libgjj32.exe 2460 Llqcfe32.exe 1796 Mcjkcplm.exe 1980 Meigpkka.exe 2812 Midcpj32.exe 320 Mpolmdkg.exe 2100 Maphdl32.exe 1688 Mlelaeqk.exe 2296 Mkhmma32.exe 1012 Mabejlob.exe 1500 Mdqafgnf.exe 832 Mlgigdoh.exe 2356 Madapkmp.exe 1648 Mdcnlglc.exe 2340 Mgajhbkg.exe 1988 Mohbip32.exe 2956 Mpjoqhah.exe 2824 Mdejaf32.exe 2744 Mgcgmb32.exe 2620 Njbcim32.exe 2068 Naikkk32.exe 2724 Nplkfgoe.exe 2072 Ncjgbcoi.exe 2448 Nkaocp32.exe 1168 Nnplpl32.exe 1972 Npnhlg32.exe 1780 Ncmdhb32.exe 2916 Nghphaeo.exe 1484 Nnbhek32.exe 268 Nleiqhcg.exe 2240 Nocemcbj.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 2384 Jfhocmnk.exe 2384 Jfhocmnk.exe 2140 Jancafna.exe 2140 Jancafna.exe 2708 Jfkkimlh.exe 2708 Jfkkimlh.exe 2480 Jiigehkl.exe 2480 Jiigehkl.exe 2776 Kcolba32.exe 2776 Kcolba32.exe 2648 Kfmhol32.exe 2648 Kfmhol32.exe 2644 Kikdkh32.exe 2644 Kikdkh32.exe 2392 Kpemgbqf.exe 2392 Kpemgbqf.exe 944 Kfoedl32.exe 944 Kfoedl32.exe 2420 Kinaqg32.exe 2420 Kinaqg32.exe 940 Kphimanc.exe 940 Kphimanc.exe 2688 Kfaajlfp.exe 2688 Kfaajlfp.exe 1600 Kipnfged.exe 1600 Kipnfged.exe 2188 Klnjbbdh.exe 2188 Klnjbbdh.exe 2184 Kbhbom32.exe 2184 Kbhbom32.exe 688 Kegnkh32.exe 688 Kegnkh32.exe 2452 Kjcgco32.exe 2452 Kjcgco32.exe 2252 Kbkodl32.exe 2252 Kbkodl32.exe 2368 Keikqhhe.exe 2368 Keikqhhe.exe 1028 Kdlkld32.exe 1028 Kdlkld32.exe 2080 Llccmb32.exe 2080 Llccmb32.exe 2212 Loapim32.exe 2212 Loapim32.exe 564 Laplei32.exe 564 Laplei32.exe 2064 Lhjdbcef.exe 2064 Lhjdbcef.exe 2200 Lodlom32.exe 2200 Lodlom32.exe 1612 Labhkh32.exe 1612 Labhkh32.exe 3032 Lhlqhb32.exe 3032 Lhlqhb32.exe 2568 Lkkmdn32.exe 2568 Lkkmdn32.exe 2616 Lmiipi32.exe 2616 Lmiipi32.exe 2628 Lbfahp32.exe 2628 Lbfahp32.exe 2732 Lganiohl.exe 2732 Lganiohl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ildamhjd.dll Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Omloag32.exe File created C:\Windows\SysWOW64\Hpocfncj.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Illjbiak.dll Efaibbij.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Epfhbign.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kfbkmk32.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Lodlom32.exe Lhjdbcef.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Adpkee32.exe File created C:\Windows\SysWOW64\Ldmndi32.dll Oiellh32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Ldenbcge.exe Lipjejgp.exe File created C:\Windows\SysWOW64\Igdogl32.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Flojhn32.dll Ceodnl32.exe File created C:\Windows\SysWOW64\Aimkgn32.dll Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Qmfgjh32.exe Pflomnkb.exe File created C:\Windows\SysWOW64\Onqamf32.dll Aefeijle.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kcdnao32.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nnennj32.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bdeeqehb.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Dnilobkm.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Ckoilb32.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bfenbpec.exe File created C:\Windows\SysWOW64\Obkdonic.exe Onphoo32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Ogeigofa.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Objbcm32.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Kbkodl32.exe Kjcgco32.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Meigpkka.exe Mcjkcplm.exe File opened for modification C:\Windows\SysWOW64\Afmonbqk.exe Alhjai32.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dkcofe32.exe File created C:\Windows\SysWOW64\Bbmfll32.dll Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Llccmb32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Oelmai32.exe Obnqem32.exe File created C:\Windows\SysWOW64\Cekkkkhe.dll Knjbnh32.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dolnad32.exe File created C:\Windows\SysWOW64\Mlmlecec.exe Mhbped32.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cckace32.exe File opened for modification C:\Windows\SysWOW64\Joifam32.exe Jqfffqpm.exe File created C:\Windows\SysWOW64\Konojnki.dll Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Mgnfhlin.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Jjjacf32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ebedndfa.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jcgogk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6568 6492 WerFault.exe 673 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feljlnoc.dll" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieepoa32.dll" Lodlom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooafm32.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaoqk32.dll" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgnnib.dll" Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfjhgfl.dll" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcoccqf.dll" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpipp32.dll" Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onjgiiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glamna32.dll" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Oonafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laplei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqdgkecq.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Labhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qedhdjnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jancafna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfmal32.dll" Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeqdep32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2384 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2384 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2384 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2384 2888 cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe 28 PID 2384 wrote to memory of 2140 2384 Jfhocmnk.exe 29 PID 2384 wrote to memory of 2140 2384 Jfhocmnk.exe 29 PID 2384 wrote to memory of 2140 2384 Jfhocmnk.exe 29 PID 2384 wrote to memory of 2140 2384 Jfhocmnk.exe 29 PID 2140 wrote to memory of 2708 2140 Jancafna.exe 30 PID 2140 wrote to memory of 2708 2140 Jancafna.exe 30 PID 2140 wrote to memory of 2708 2140 Jancafna.exe 30 PID 2140 wrote to memory of 2708 2140 Jancafna.exe 30 PID 2708 wrote to memory of 2480 2708 Jfkkimlh.exe 31 PID 2708 wrote to memory of 2480 2708 Jfkkimlh.exe 31 PID 2708 wrote to memory of 2480 2708 Jfkkimlh.exe 31 PID 2708 wrote to memory of 2480 2708 Jfkkimlh.exe 31 PID 2480 wrote to memory of 2776 2480 Jiigehkl.exe 32 PID 2480 wrote to memory of 2776 2480 Jiigehkl.exe 32 PID 2480 wrote to memory of 2776 2480 Jiigehkl.exe 32 PID 2480 wrote to memory of 2776 2480 Jiigehkl.exe 32 PID 2776 wrote to memory of 2648 2776 Kcolba32.exe 33 PID 2776 wrote to memory of 2648 2776 Kcolba32.exe 33 PID 2776 wrote to memory of 2648 2776 Kcolba32.exe 33 PID 2776 wrote to memory of 2648 2776 Kcolba32.exe 33 PID 2648 wrote to memory of 2644 2648 Kfmhol32.exe 34 PID 2648 wrote to memory of 2644 2648 Kfmhol32.exe 34 PID 2648 wrote to memory of 2644 2648 Kfmhol32.exe 34 PID 2648 wrote to memory of 2644 2648 Kfmhol32.exe 34 PID 2644 wrote to memory of 2392 2644 Kikdkh32.exe 35 PID 2644 wrote to memory of 2392 2644 Kikdkh32.exe 35 PID 2644 wrote to memory of 2392 2644 Kikdkh32.exe 35 PID 2644 wrote to memory of 2392 2644 Kikdkh32.exe 35 PID 2392 wrote to memory of 944 2392 Kpemgbqf.exe 36 PID 2392 wrote to memory of 944 2392 Kpemgbqf.exe 36 PID 2392 wrote to memory of 944 2392 Kpemgbqf.exe 36 PID 2392 wrote to memory of 944 2392 Kpemgbqf.exe 36 PID 944 wrote to memory of 2420 944 Kfoedl32.exe 37 PID 944 wrote to memory of 2420 944 Kfoedl32.exe 37 PID 944 wrote to memory of 2420 944 Kfoedl32.exe 37 PID 944 wrote to memory of 2420 944 Kfoedl32.exe 37 PID 2420 wrote to memory of 940 2420 Kinaqg32.exe 38 PID 2420 wrote to memory of 940 2420 Kinaqg32.exe 38 PID 2420 wrote to memory of 940 2420 Kinaqg32.exe 38 PID 2420 wrote to memory of 940 2420 Kinaqg32.exe 38 PID 940 wrote to memory of 2688 940 Kphimanc.exe 39 PID 940 wrote to memory of 2688 940 Kphimanc.exe 39 PID 940 wrote to memory of 2688 940 Kphimanc.exe 39 PID 940 wrote to memory of 2688 940 Kphimanc.exe 39 PID 2688 wrote to memory of 1600 2688 Kfaajlfp.exe 40 PID 2688 wrote to memory of 1600 2688 Kfaajlfp.exe 40 PID 2688 wrote to memory of 1600 2688 Kfaajlfp.exe 40 PID 2688 wrote to memory of 1600 2688 Kfaajlfp.exe 40 PID 1600 wrote to memory of 2188 1600 Kipnfged.exe 41 PID 1600 wrote to memory of 2188 1600 Kipnfged.exe 41 PID 1600 wrote to memory of 2188 1600 Kipnfged.exe 41 PID 1600 wrote to memory of 2188 1600 Kipnfged.exe 41 PID 2188 wrote to memory of 2184 2188 Klnjbbdh.exe 42 PID 2188 wrote to memory of 2184 2188 Klnjbbdh.exe 42 PID 2188 wrote to memory of 2184 2188 Klnjbbdh.exe 42 PID 2188 wrote to memory of 2184 2188 Klnjbbdh.exe 42 PID 2184 wrote to memory of 688 2184 Kbhbom32.exe 43 PID 2184 wrote to memory of 688 2184 Kbhbom32.exe 43 PID 2184 wrote to memory of 688 2184 Kbhbom32.exe 43 PID 2184 wrote to memory of 688 2184 Kbhbom32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb14769b56c297fe663607d35d2e8520_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe34⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe35⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe39⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe40⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe43⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe46⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe47⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe49⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe50⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe51⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe55⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe56⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe57⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe58⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe59⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe60⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe62⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe63⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe64⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe65⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe66⤵PID:828
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe67⤵PID:1160
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe68⤵PID:2668
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe69⤵PID:1156
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe70⤵PID:2896
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe71⤵PID:1728
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe72⤵PID:2580
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe73⤵PID:2712
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe75⤵PID:1992
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe76⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe77⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe78⤵PID:2428
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe79⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe82⤵PID:1124
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe83⤵PID:1460
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe84⤵PID:1564
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe85⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe86⤵PID:2172
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe87⤵PID:2640
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe88⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe90⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe91⤵PID:1320
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe92⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe94⤵PID:684
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe95⤵PID:1204
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1008 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe98⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe99⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe100⤵PID:2820
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe101⤵PID:2624
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe102⤵PID:2832
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe103⤵PID:1928
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe104⤵PID:3056
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe105⤵PID:1668
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe106⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe107⤵PID:1308
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe108⤵PID:1448
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe109⤵PID:444
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe110⤵PID:2972
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe111⤵PID:1544
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe112⤵PID:2560
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe113⤵PID:2844
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe114⤵PID:2492
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe115⤵PID:2920
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe116⤵PID:1060
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe117⤵PID:1632
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe118⤵PID:2128
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe119⤵PID:876
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe120⤵PID:308
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe121⤵PID:1092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-