Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe
-
Size
243KB
-
MD5
37d63cfc323c2bd7ff2bbd299b596d80
-
SHA1
06ef075357e1fdbbc4000499983b7ea37fda2056
-
SHA256
99052cc14e97817ce00b9f4d2c6cf99d8a997b75d002e751663374ade51b2cfa
-
SHA512
0f1b2d59caccd6f93c2d8ce418da81e8f15251ff1969b65df4a06dd4fce56fcc69bbee164e09610e532317f08edf2332391c88b64606e7002d20c7ad6a1aaa29
-
SSDEEP
3072:cS0y8iqVwAxKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:cKVAxKzwdlU2zlNgwTnAWtlhjQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnngbbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobilkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihjfnmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgepom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqhbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhfhong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahcajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjdqmng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljcoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joahqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkidohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooqqdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomkcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadleilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbfakec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpqkcpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggeboaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnnbqnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebflhaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgknhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlimed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aompak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlbkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebcop32.exe -
Executes dropped EXE 64 IoCs
pid Process 208 Gnkaalkd.exe 3688 Gddinf32.exe 4016 Gahjgj32.exe 1044 Gfdfgiid.exe 4912 Ggeboaob.exe 2180 Hdicienl.exe 3716 Hghoeqmp.exe 2188 Hnagak32.exe 5032 Hhgloc32.exe 2764 Hkehkocf.exe 2692 Hnddgjbj.exe 2172 Hocqam32.exe 3036 Hbbmmi32.exe 3216 Hdpiid32.exe 4784 Hkjafn32.exe 1824 Hfpecg32.exe 3764 Hhnbpb32.exe 4636 Hgabkoee.exe 3136 Inkjhi32.exe 3484 Idebdcdo.exe 3836 Ikokan32.exe 3228 Iickkbje.exe 4964 Ikaggmii.exe 1432 Iomcgl32.exe 4272 Ibkpcg32.exe 1168 Iiehpahb.exe 3980 Ikcdlmgf.exe 3552 Inbqhhfj.exe 3744 Ifihif32.exe 4464 Ikfabm32.exe 4840 Ibpiogmp.exe 496 Iijaka32.exe 4556 Jodjhkkj.exe 8 Jngjch32.exe 1856 Jgonlm32.exe 3952 Joffnk32.exe 5084 Jnifigpa.exe 1488 Jfpojead.exe 4888 Jiokfpph.exe 1852 Jkmgblok.exe 1864 Jfbkpd32.exe 64 Jiaglp32.exe 1348 Jgdhgmep.exe 1924 Jpkphjeb.exe 4620 Jnnpdg32.exe 4044 Jfehed32.exe 1080 Jehhaaci.exe 1288 Jgfdmlcm.exe 1588 Jkaqnk32.exe 4956 Jnpmjf32.exe 2992 Jblijebc.exe 3528 Jejefqaf.exe 1392 Jieagojp.exe 3132 Kldmckic.exe 1720 Kppici32.exe 2088 Kbnepe32.exe 3680 Kelalp32.exe 1184 Kgknhl32.exe 2888 Knefeffd.exe 1684 Kflnfcgg.exe 60 Khmknk32.exe 4948 Kimghn32.exe 3324 Khpgckkb.exe 1580 Kpgodhkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aknifq32.exe Addaif32.exe File created C:\Windows\SysWOW64\Oaplqh32.exe Onapdl32.exe File created C:\Windows\SysWOW64\Dhhmleng.dll Ojhpimhp.exe File created C:\Windows\SysWOW64\Medqcmki.exe Mbedga32.exe File created C:\Windows\SysWOW64\Dfefkkqp.exe Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Najmjokc.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oifeab32.exe File created C:\Windows\SysWOW64\Injmcmej.exe Igpdfb32.exe File opened for modification C:\Windows\SysWOW64\Nghekkmn.exe Meiioonj.exe File created C:\Windows\SysWOW64\Hlgdjg32.dll Joahqn32.exe File created C:\Windows\SysWOW64\Efcknj32.dll Jgfdmlcm.exe File created C:\Windows\SysWOW64\Ciepangh.dll Lnqeqd32.exe File created C:\Windows\SysWOW64\Kohmng32.dll Oohnonij.exe File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Emjgim32.exe Eecphp32.exe File created C:\Windows\SysWOW64\Mokknfec.dll Hbbmmi32.exe File created C:\Windows\SysWOW64\Lkabjbih.exe Licfngjd.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Giinpa32.exe File opened for modification C:\Windows\SysWOW64\Oebflhaf.exe Ogpepl32.exe File created C:\Windows\SysWOW64\Lcjkqlam.dll Olgncmim.exe File created C:\Windows\SysWOW64\Jhidngmn.dll Eblpgjha.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dodjjimm.exe File created C:\Windows\SysWOW64\Jgfdmlcm.exe Jehhaaci.exe File created C:\Windows\SysWOW64\Ojobciba.dll Llbidimc.exe File opened for modification C:\Windows\SysWOW64\Nebmekoi.exe Ngomin32.exe File opened for modification C:\Windows\SysWOW64\Gbnoiqdq.exe Gppcmeem.exe File created C:\Windows\SysWOW64\Caageq32.exe Cocjiehd.exe File created C:\Windows\SysWOW64\Ccgjopal.exe Ckpbnb32.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Dbcmakpl.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Olfghg32.exe File created C:\Windows\SysWOW64\Gbbgpbmj.dll Fhofmq32.exe File created C:\Windows\SysWOW64\Lijlof32.exe Lbpdblmo.exe File opened for modification C:\Windows\SysWOW64\Cfqmpl32.exe Cbeapmll.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Igbalblk.exe File created C:\Windows\SysWOW64\Pqlhmf32.dll Hpqldc32.exe File created C:\Windows\SysWOW64\Gkoafbld.dll Lmaamn32.exe File opened for modification C:\Windows\SysWOW64\Aopemh32.exe Ahfmpnql.exe File created C:\Windows\SysWOW64\Egfapa32.dll Kppici32.exe File created C:\Windows\SysWOW64\Fcppfn32.dll Neppokal.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Chnbbqpn.exe Cbdjeg32.exe File opened for modification C:\Windows\SysWOW64\Inkjhi32.exe Hgabkoee.exe File opened for modification C:\Windows\SysWOW64\Nojanpej.exe Nlleaeff.exe File created C:\Windows\SysWOW64\Mioodgbj.dll Amhfkopc.exe File opened for modification C:\Windows\SysWOW64\Mlbkap32.exe Micoed32.exe File created C:\Windows\SysWOW64\Kldbpfio.dll Ekaapi32.exe File created C:\Windows\SysWOW64\Jieqei32.dll Jpkphjeb.exe File opened for modification C:\Windows\SysWOW64\Jehhaaci.exe Jfehed32.exe File created C:\Windows\SysWOW64\Kmmmic32.dll Olgemcli.exe File created C:\Windows\SysWOW64\Dbcmakpl.exe Dcpmen32.exe File opened for modification C:\Windows\SysWOW64\Jcphab32.exe Jpaleglc.exe File created C:\Windows\SysWOW64\Jjoiil32.exe Jcdala32.exe File created C:\Windows\SysWOW64\Bhkmec32.exe Bemqih32.exe File created C:\Windows\SysWOW64\Mmjmhg32.dll Cfipef32.exe File created C:\Windows\SysWOW64\Cikjab32.dll Ohgoaehe.exe File created C:\Windows\SysWOW64\Ooagno32.exe Opogbbig.exe File opened for modification C:\Windows\SysWOW64\Cjecpkcg.exe Bbnkonbd.exe File created C:\Windows\SysWOW64\Jleijb32.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Chnlgjlb.exe Cacckp32.exe File created C:\Windows\SysWOW64\Apmhinni.dll Jcdala32.exe File opened for modification C:\Windows\SysWOW64\Mmpdhboj.exe Mnmdme32.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hlbcnd32.exe File created C:\Windows\SysWOW64\Oflpld32.dll Oifeab32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6520 6872 WerFault.exe 1083 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgknhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoobn32.dll" Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll" Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jebfng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdfgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknfcofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbghfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdndomn.dll" Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglfplgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megljppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anclbkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niipjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjaopom.dll" Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmadco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadleilm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdobpkmb.dll" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Cpbjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadenp32.dll" Nolgijpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijkmod.dll" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkllcbh.dll" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjiipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohcia32.dll" Cpleig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kilpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cfkmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbphg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocddono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppnfc32.dll" Gdmmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Djelgied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mminhceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daediilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nocedmfn.dll" Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Emhkdmlg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3612 wrote to memory of 208 3612 37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe 82 PID 3612 wrote to memory of 208 3612 37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe 82 PID 3612 wrote to memory of 208 3612 37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe 82 PID 208 wrote to memory of 3688 208 Gnkaalkd.exe 83 PID 208 wrote to memory of 3688 208 Gnkaalkd.exe 83 PID 208 wrote to memory of 3688 208 Gnkaalkd.exe 83 PID 3688 wrote to memory of 4016 3688 Gddinf32.exe 84 PID 3688 wrote to memory of 4016 3688 Gddinf32.exe 84 PID 3688 wrote to memory of 4016 3688 Gddinf32.exe 84 PID 4016 wrote to memory of 1044 4016 Gahjgj32.exe 86 PID 4016 wrote to memory of 1044 4016 Gahjgj32.exe 86 PID 4016 wrote to memory of 1044 4016 Gahjgj32.exe 86 PID 1044 wrote to memory of 4912 1044 Gfdfgiid.exe 88 PID 1044 wrote to memory of 4912 1044 Gfdfgiid.exe 88 PID 1044 wrote to memory of 4912 1044 Gfdfgiid.exe 88 PID 4912 wrote to memory of 2180 4912 Ggeboaob.exe 90 PID 4912 wrote to memory of 2180 4912 Ggeboaob.exe 90 PID 4912 wrote to memory of 2180 4912 Ggeboaob.exe 90 PID 2180 wrote to memory of 3716 2180 Hdicienl.exe 91 PID 2180 wrote to memory of 3716 2180 Hdicienl.exe 91 PID 2180 wrote to memory of 3716 2180 Hdicienl.exe 91 PID 3716 wrote to memory of 2188 3716 Hghoeqmp.exe 92 PID 3716 wrote to memory of 2188 3716 Hghoeqmp.exe 92 PID 3716 wrote to memory of 2188 3716 Hghoeqmp.exe 92 PID 2188 wrote to memory of 5032 2188 Hnagak32.exe 93 PID 2188 wrote to memory of 5032 2188 Hnagak32.exe 93 PID 2188 wrote to memory of 5032 2188 Hnagak32.exe 93 PID 5032 wrote to memory of 2764 5032 Hhgloc32.exe 94 PID 5032 wrote to memory of 2764 5032 Hhgloc32.exe 94 PID 5032 wrote to memory of 2764 5032 Hhgloc32.exe 94 PID 2764 wrote to memory of 2692 2764 Hkehkocf.exe 95 PID 2764 wrote to memory of 2692 2764 Hkehkocf.exe 95 PID 2764 wrote to memory of 2692 2764 Hkehkocf.exe 95 PID 2692 wrote to memory of 2172 2692 Hnddgjbj.exe 96 PID 2692 wrote to memory of 2172 2692 Hnddgjbj.exe 96 PID 2692 wrote to memory of 2172 2692 Hnddgjbj.exe 96 PID 2172 wrote to memory of 3036 2172 Hocqam32.exe 97 PID 2172 wrote to memory of 3036 2172 Hocqam32.exe 97 PID 2172 wrote to memory of 3036 2172 Hocqam32.exe 97 PID 3036 wrote to memory of 3216 3036 Hbbmmi32.exe 98 PID 3036 wrote to memory of 3216 3036 Hbbmmi32.exe 98 PID 3036 wrote to memory of 3216 3036 Hbbmmi32.exe 98 PID 3216 wrote to memory of 4784 3216 Hdpiid32.exe 99 PID 3216 wrote to memory of 4784 3216 Hdpiid32.exe 99 PID 3216 wrote to memory of 4784 3216 Hdpiid32.exe 99 PID 4784 wrote to memory of 1824 4784 Hkjafn32.exe 100 PID 4784 wrote to memory of 1824 4784 Hkjafn32.exe 100 PID 4784 wrote to memory of 1824 4784 Hkjafn32.exe 100 PID 1824 wrote to memory of 3764 1824 Hfpecg32.exe 101 PID 1824 wrote to memory of 3764 1824 Hfpecg32.exe 101 PID 1824 wrote to memory of 3764 1824 Hfpecg32.exe 101 PID 3764 wrote to memory of 4636 3764 Hhnbpb32.exe 102 PID 3764 wrote to memory of 4636 3764 Hhnbpb32.exe 102 PID 3764 wrote to memory of 4636 3764 Hhnbpb32.exe 102 PID 4636 wrote to memory of 3136 4636 Hgabkoee.exe 103 PID 4636 wrote to memory of 3136 4636 Hgabkoee.exe 103 PID 4636 wrote to memory of 3136 4636 Hgabkoee.exe 103 PID 3136 wrote to memory of 3484 3136 Inkjhi32.exe 104 PID 3136 wrote to memory of 3484 3136 Inkjhi32.exe 104 PID 3136 wrote to memory of 3484 3136 Inkjhi32.exe 104 PID 3484 wrote to memory of 3836 3484 Idebdcdo.exe 105 PID 3484 wrote to memory of 3836 3484 Idebdcdo.exe 105 PID 3484 wrote to memory of 3836 3484 Idebdcdo.exe 105 PID 3836 wrote to memory of 3228 3836 Ikokan32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\37d63cfc323c2bd7ff2bbd299b596d80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe23⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe24⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe25⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe26⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe27⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe28⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe29⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe31⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe32⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe33⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe34⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe35⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe36⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe37⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe38⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe39⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe40⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe41⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe42⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe43⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe44⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe46⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe50⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe51⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe52⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe53⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe54⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe55⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe57⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe58⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe60⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Kflnfcgg.exeC:\Windows\system32\Kflnfcgg.exe61⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe62⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe64⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe65⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe66⤵PID:4936
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe67⤵PID:2636
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe68⤵PID:3692
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe69⤵PID:4884
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe70⤵PID:3976
-
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe71⤵PID:3120
-
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe72⤵
- Modifies registry class
PID:4872 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe73⤵PID:4056
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe74⤵PID:4360
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe75⤵PID:4704
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe76⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe77⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe78⤵PID:868
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe79⤵PID:3588
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe80⤵PID:316
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe81⤵PID:4160
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe82⤵PID:4708
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4488 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe84⤵PID:880
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe85⤵PID:5052
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe86⤵PID:3988
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe87⤵PID:4916
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe88⤵PID:3576
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe89⤵PID:2996
-
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe90⤵PID:2588
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe91⤵PID:840
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe92⤵PID:4572
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe93⤵PID:4184
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe94⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe95⤵PID:4980
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe96⤵PID:1116
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe97⤵PID:396
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe98⤵PID:4852
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe99⤵PID:3224
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe101⤵PID:3092
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe102⤵PID:5132
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe104⤵PID:5216
-
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe105⤵PID:5256
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe106⤵PID:5300
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe108⤵PID:5388
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe109⤵PID:5432
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe110⤵PID:5476
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe111⤵PID:5512
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe112⤵PID:5568
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe114⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe115⤵PID:5684
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe116⤵PID:5732
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe117⤵PID:5772
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe118⤵PID:5816
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe119⤵
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe120⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe121⤵PID:5940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-