Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 14:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe
-
Size
81KB
-
MD5
f99f7e14800a89ed72f7695160a6b190
-
SHA1
b8d5ce068a24153bacf027d228cc10684210f23f
-
SHA256
4d3619631021bd603f78d8c596e6b370efadf40c48550714e59f2bc0793e50f4
-
SHA512
d825f468103565e3286bcc04d08a2105ae99f54934f758616902d85be7016276713dd098a0181e5c3f781ad947841eb0dfedb55ca3545809cb82514c2bcbc4bc
-
SSDEEP
1536:BXyJamar9ELz4rVEsLLERJuL/Dzo7yMB7m4LO++/+1m6KadhYxU33HX0L:wJamar9xVbL/DzoOMB/LrCimBaH8UH3M
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafbec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joifam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihankokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefeijle.exe -
Executes dropped EXE 64 IoCs
pid Process 1668 Khcnad32.exe 668 Komfnnck.exe 2784 Kibjkgca.exe 2908 Klqfhbbe.exe 2892 Koocdnai.exe 2624 Kanopipl.exe 2484 Kdlkld32.exe 2060 Lhggmchi.exe 2876 Lkfciogm.exe 1624 Lmdpejfq.exe 2512 Laplei32.exe 2772 Ldnhad32.exe 3008 Lhjdbcef.exe 1776 Lkhpnnej.exe 1244 Lmgmjjdn.exe 2064 Labhkh32.exe 764 Lpeifeca.exe 588 Lhlqhb32.exe 1556 Lkkmdn32.exe 2260 Lkkmdn32.exe 448 Limmokib.exe 2680 Lmiipi32.exe 404 Lpgele32.exe 984 Ldcamcih.exe 1784 Lkmjin32.exe 2888 Lipjejgp.exe 2172 Ldenbcge.exe 2164 Lgdjnofi.exe 2664 Libgjj32.exe 2648 Lmnbkinf.exe 2492 Llqcfe32.exe 2464 Mgfgdn32.exe 1616 Mgfgdn32.exe 2700 Midcpj32.exe 2524 Mlcple32.exe 1972 Moalhq32.exe 2404 Mcmhiojk.exe 1952 Mekdekin.exe 1444 Mlelaeqk.exe 1124 Mkhmma32.exe 2040 Mabejlob.exe 1532 Menakj32.exe 992 Mhlmgf32.exe 2420 Mlgigdoh.exe 1048 Madapkmp.exe 1892 Mhnjle32.exe 380 Mgajhbkg.exe 1680 Mohbip32.exe 2944 Magnek32.exe 1188 Mpjoqhah.exe 756 Mhqfbebj.exe 2592 Mgcgmb32.exe 2668 Njbcim32.exe 2296 Nnnojlpa.exe 2696 Nplkfgoe.exe 2556 Ndgggf32.exe 2292 Ncjgbcoi.exe 3004 Ngfcca32.exe 2840 Nkaocp32.exe 2984 Nnplpl32.exe 2808 Npnhlg32.exe 1976 Ndjdlffl.exe 2780 Nfkpdn32.exe 1296 Nnbhek32.exe -
Loads dropped DLL 64 IoCs
pid Process 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 1668 Khcnad32.exe 1668 Khcnad32.exe 668 Komfnnck.exe 668 Komfnnck.exe 2784 Kibjkgca.exe 2784 Kibjkgca.exe 2908 Klqfhbbe.exe 2908 Klqfhbbe.exe 2892 Koocdnai.exe 2892 Koocdnai.exe 2624 Kanopipl.exe 2624 Kanopipl.exe 2484 Kdlkld32.exe 2484 Kdlkld32.exe 2060 Lhggmchi.exe 2060 Lhggmchi.exe 2876 Lkfciogm.exe 2876 Lkfciogm.exe 1624 Lmdpejfq.exe 1624 Lmdpejfq.exe 2512 Laplei32.exe 2512 Laplei32.exe 2772 Ldnhad32.exe 2772 Ldnhad32.exe 3008 Lhjdbcef.exe 3008 Lhjdbcef.exe 1776 Lkhpnnej.exe 1776 Lkhpnnej.exe 1244 Lmgmjjdn.exe 1244 Lmgmjjdn.exe 2064 Labhkh32.exe 2064 Labhkh32.exe 764 Lpeifeca.exe 764 Lpeifeca.exe 588 Lhlqhb32.exe 588 Lhlqhb32.exe 1556 Lkkmdn32.exe 1556 Lkkmdn32.exe 2260 Lkkmdn32.exe 2260 Lkkmdn32.exe 448 Limmokib.exe 448 Limmokib.exe 2680 Lmiipi32.exe 2680 Lmiipi32.exe 404 Lpgele32.exe 404 Lpgele32.exe 984 Ldcamcih.exe 984 Ldcamcih.exe 1784 Lkmjin32.exe 1784 Lkmjin32.exe 1600 Llnfaffc.exe 1600 Llnfaffc.exe 2172 Ldenbcge.exe 2172 Ldenbcge.exe 2164 Lgdjnofi.exe 2164 Lgdjnofi.exe 2664 Libgjj32.exe 2664 Libgjj32.exe 2648 Lmnbkinf.exe 2648 Lmnbkinf.exe 2492 Llqcfe32.exe 2492 Llqcfe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Dejpca32.dll Icmlam32.exe File created C:\Windows\SysWOW64\Kaklpcoc.exe Kmopod32.exe File created C:\Windows\SysWOW64\Heldepab.dll Obojhlbq.exe File created C:\Windows\SysWOW64\Ojieip32.exe Ogjimd32.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Egamfkdh.exe File opened for modification C:\Windows\SysWOW64\Febhomkh.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Gmjaic32.exe File created C:\Windows\SysWOW64\Lnpbep32.dll Jjlnif32.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Ekholjqg.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Hojopmqk.dll Hjhhocjj.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Nnnojlpa.exe File created C:\Windows\SysWOW64\Lefmambf.dll Dqjepm32.exe File created C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Jqfffqpm.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Abmibdlh.exe File created C:\Windows\SysWOW64\Fonfbi32.dll Ngfcca32.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ondajnme.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Mhnjle32.exe Madapkmp.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pmanoifd.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aibajhdn.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Hggomh32.exe Hdhbam32.exe File opened for modification C:\Windows\SysWOW64\Aibajhdn.exe Aefeijle.exe File opened for modification C:\Windows\SysWOW64\Blipbfpp.dll Lkkmdn32.exe File opened for modification C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jokcgmee.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Hogmmjfo.exe File created C:\Windows\SysWOW64\Dmafennb.exe Dnneja32.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Dgjclbdi.exe File created C:\Windows\SysWOW64\Pmdgmd32.dll Eqdajkkb.exe File created C:\Windows\SysWOW64\Ocomlemo.exe Oelmai32.exe File created C:\Windows\SysWOW64\Njqaac32.dll Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bpiipf32.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bdlblj32.exe File created C:\Windows\SysWOW64\Pinfim32.dll Ejbfhfaj.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Dbpodagk.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hdhbam32.exe File created C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File created C:\Windows\SysWOW64\Cinika32.dll Qecoqk32.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mkgfckcj.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pminkk32.exe File created C:\Windows\SysWOW64\Jddnncch.dll Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Dfmdho32.exe Dgjclbdi.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Lkkmdn32.exe Lhlqhb32.exe File created C:\Windows\SysWOW64\Libgjj32.exe Lgdjnofi.exe File created C:\Windows\SysWOW64\Hhmepp32.exe Henidd32.exe File created C:\Windows\SysWOW64\Goedqe32.dll Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6364 6972 WerFault.exe 709 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apajlhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccedfd32.dll" Ndgggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnqem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiomkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Llnofpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhnjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkofpgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkljlhn.dll" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgdjnofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgmjjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldenbcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldcamcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bhfagipa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1668 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 28 PID 2408 wrote to memory of 1668 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 28 PID 2408 wrote to memory of 1668 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 28 PID 2408 wrote to memory of 1668 2408 f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe 28 PID 1668 wrote to memory of 668 1668 Khcnad32.exe 29 PID 1668 wrote to memory of 668 1668 Khcnad32.exe 29 PID 1668 wrote to memory of 668 1668 Khcnad32.exe 29 PID 1668 wrote to memory of 668 1668 Khcnad32.exe 29 PID 668 wrote to memory of 2784 668 Komfnnck.exe 30 PID 668 wrote to memory of 2784 668 Komfnnck.exe 30 PID 668 wrote to memory of 2784 668 Komfnnck.exe 30 PID 668 wrote to memory of 2784 668 Komfnnck.exe 30 PID 2784 wrote to memory of 2908 2784 Kibjkgca.exe 31 PID 2784 wrote to memory of 2908 2784 Kibjkgca.exe 31 PID 2784 wrote to memory of 2908 2784 Kibjkgca.exe 31 PID 2784 wrote to memory of 2908 2784 Kibjkgca.exe 31 PID 2908 wrote to memory of 2892 2908 Klqfhbbe.exe 32 PID 2908 wrote to memory of 2892 2908 Klqfhbbe.exe 32 PID 2908 wrote to memory of 2892 2908 Klqfhbbe.exe 32 PID 2908 wrote to memory of 2892 2908 Klqfhbbe.exe 32 PID 2892 wrote to memory of 2624 2892 Koocdnai.exe 33 PID 2892 wrote to memory of 2624 2892 Koocdnai.exe 33 PID 2892 wrote to memory of 2624 2892 Koocdnai.exe 33 PID 2892 wrote to memory of 2624 2892 Koocdnai.exe 33 PID 2624 wrote to memory of 2484 2624 Kanopipl.exe 34 PID 2624 wrote to memory of 2484 2624 Kanopipl.exe 34 PID 2624 wrote to memory of 2484 2624 Kanopipl.exe 34 PID 2624 wrote to memory of 2484 2624 Kanopipl.exe 34 PID 2484 wrote to memory of 2060 2484 Kdlkld32.exe 35 PID 2484 wrote to memory of 2060 2484 Kdlkld32.exe 35 PID 2484 wrote to memory of 2060 2484 Kdlkld32.exe 35 PID 2484 wrote to memory of 2060 2484 Kdlkld32.exe 35 PID 2060 wrote to memory of 2876 2060 Lhggmchi.exe 36 PID 2060 wrote to memory of 2876 2060 Lhggmchi.exe 36 PID 2060 wrote to memory of 2876 2060 Lhggmchi.exe 36 PID 2060 wrote to memory of 2876 2060 Lhggmchi.exe 36 PID 2876 wrote to memory of 1624 2876 Lkfciogm.exe 37 PID 2876 wrote to memory of 1624 2876 Lkfciogm.exe 37 PID 2876 wrote to memory of 1624 2876 Lkfciogm.exe 37 PID 2876 wrote to memory of 1624 2876 Lkfciogm.exe 37 PID 1624 wrote to memory of 2512 1624 Lmdpejfq.exe 38 PID 1624 wrote to memory of 2512 1624 Lmdpejfq.exe 38 PID 1624 wrote to memory of 2512 1624 Lmdpejfq.exe 38 PID 1624 wrote to memory of 2512 1624 Lmdpejfq.exe 38 PID 2512 wrote to memory of 2772 2512 Laplei32.exe 39 PID 2512 wrote to memory of 2772 2512 Laplei32.exe 39 PID 2512 wrote to memory of 2772 2512 Laplei32.exe 39 PID 2512 wrote to memory of 2772 2512 Laplei32.exe 39 PID 2772 wrote to memory of 3008 2772 Ldnhad32.exe 40 PID 2772 wrote to memory of 3008 2772 Ldnhad32.exe 40 PID 2772 wrote to memory of 3008 2772 Ldnhad32.exe 40 PID 2772 wrote to memory of 3008 2772 Ldnhad32.exe 40 PID 3008 wrote to memory of 1776 3008 Lhjdbcef.exe 41 PID 3008 wrote to memory of 1776 3008 Lhjdbcef.exe 41 PID 3008 wrote to memory of 1776 3008 Lhjdbcef.exe 41 PID 3008 wrote to memory of 1776 3008 Lhjdbcef.exe 41 PID 1776 wrote to memory of 1244 1776 Lkhpnnej.exe 42 PID 1776 wrote to memory of 1244 1776 Lkhpnnej.exe 42 PID 1776 wrote to memory of 1244 1776 Lkhpnnej.exe 42 PID 1776 wrote to memory of 1244 1776 Lkhpnnej.exe 42 PID 1244 wrote to memory of 2064 1244 Lmgmjjdn.exe 43 PID 1244 wrote to memory of 2064 1244 Lmgmjjdn.exe 43 PID 1244 wrote to memory of 2064 1244 Lmgmjjdn.exe 43 PID 1244 wrote to memory of 2064 1244 Lmgmjjdn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f99f7e14800a89ed72f7695160a6b190_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe27⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe28⤵
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe34⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe35⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe36⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe37⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe39⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe41⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe42⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe43⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe44⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe45⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe46⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe49⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe50⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe51⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe52⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe55⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe57⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe59⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe61⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe62⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe64⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe65⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe66⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe67⤵PID:768
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe69⤵PID:2324
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe70⤵PID:332
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe71⤵PID:1692
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe72⤵PID:2956
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe73⤵PID:2660
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe74⤵PID:2560
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe75⤵PID:2572
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe76⤵PID:2528
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe77⤵PID:1548
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe78⤵PID:1568
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe79⤵PID:1220
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe80⤵PID:784
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe81⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe82⤵PID:1288
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe83⤵PID:1480
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe84⤵PID:2328
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe85⤵PID:2312
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe87⤵PID:2336
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe88⤵PID:1956
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe89⤵PID:2596
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe90⤵PID:2564
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe91⤵PID:2844
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe92⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe94⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe95⤵PID:2752
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe96⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe97⤵PID:1204
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe98⤵
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe99⤵PID:1704
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe100⤵PID:1880
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe101⤵PID:2604
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe102⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe103⤵PID:320
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe104⤵PID:2044
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe105⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe106⤵PID:2744
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe107⤵PID:324
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe108⤵PID:812
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe109⤵PID:1092
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe110⤵PID:620
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe112⤵PID:2012
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe113⤵PID:2100
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe114⤵PID:2504
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe115⤵PID:3040
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe116⤵PID:2108
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe118⤵PID:2224
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe119⤵PID:1068
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe120⤵PID:2140
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe121⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-