Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 07:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe
-
Size
104KB
-
MD5
0c7a971da24008eda40949925c5a9840
-
SHA1
f01b4448b7d63f97c409c43c73d494ea08916ec7
-
SHA256
54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6
-
SHA512
f300ab1705100533f12c0d0794c075f79824a2df89cf5d32f27d7f5288b8742de9b6c427ab1fef4f3962472396e9b1ffe83b7bc59bfb92e6e7fcbede9ee077a6
-
SSDEEP
3072:OfkHV/tBJBqSspO+a6/ore59x7cEGrhkngpDvchkqbAIQS:OfWtsXpx59x4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbddcoei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkalchij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoafi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hadkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbeidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmncnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkoeppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neeqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aabmqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qloebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifmcdblq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcqjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnpemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjlcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajanck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfachc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lknjmkdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pggbkagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iiaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deagdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgfqmfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogljjiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chbnia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fomhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjddphlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmkdlkph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mchhggno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hccglh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odednmpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Conclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlcifmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdghh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhhdlid.exe -
Executes dropped EXE 64 IoCs
pid Process 1576 Hpbaqj32.exe 1492 Hbanme32.exe 4588 Hfljmdjc.exe 3968 Hmfbjnbp.exe 3928 Hcqjfh32.exe 2140 Hjjbcbqj.exe 1280 Hadkpm32.exe 3540 Hccglh32.exe 592 Hfachc32.exe 2840 Hmklen32.exe 2576 Hpihai32.exe 4368 Hfcpncdk.exe 1760 Hibljoco.exe 1472 Ipldfi32.exe 4536 Ibjqcd32.exe 4376 Ijaida32.exe 4524 Impepm32.exe 1096 Ipnalhii.exe 3508 Ibmmhdhm.exe 4036 Imbaemhc.exe 3732 Icljbg32.exe 4828 Ifjfnb32.exe 1484 Iapjlk32.exe 4888 Ibagcc32.exe 4688 Ifmcdblq.exe 3728 Imgkql32.exe 4848 Idacmfkj.exe 1268 Ifopiajn.exe 2592 Iinlemia.exe 840 Jaedgjjd.exe 4476 Jbfpobpb.exe 4572 Jjmhppqd.exe 2412 Jmkdlkph.exe 4920 Jpjqhgol.exe 64 Jbhmdbnp.exe 2632 Jjpeepnb.exe 2968 Jibeql32.exe 2160 Jaimbj32.exe 5008 Jbkjjblm.exe 3624 Jjbako32.exe 4408 Jmpngk32.exe 1156 Jpojcf32.exe 2316 Jbmfoa32.exe 4992 Jkdnpo32.exe 4776 Jpaghf32.exe 1524 Jfkoeppq.exe 4540 Jiikak32.exe 1796 Kmegbjgn.exe 836 Kpccnefa.exe 4940 Kgmlkp32.exe 4120 Kilhgk32.exe 4864 Kmgdgjek.exe 5092 Kdaldd32.exe 348 Kbdmpqcb.exe 1012 Kkkdan32.exe 1336 Kmjqmi32.exe 1504 Kphmie32.exe 2148 Kbfiep32.exe 2464 Kknafn32.exe 3252 Kagichjo.exe 2580 Kdffocib.exe 2080 Kgdbkohf.exe 4732 Kibnhjgj.exe 4076 Kpmfddnf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File created C:\Windows\SysWOW64\Kfjhkjle.exe Jcllonma.exe File created C:\Windows\SysWOW64\Ickfifmb.dll Agglboim.exe File created C:\Windows\SysWOW64\Fqjamcpe.dll Cjinkg32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Aneonqmj.dll Bhfonc32.exe File created C:\Windows\SysWOW64\Cafigg32.exe Cklaknjd.exe File opened for modification C:\Windows\SysWOW64\Cdfbibnb.exe Cahfmgoo.exe File created C:\Windows\SysWOW64\Ghilmi32.dll Cdfkolkf.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dmefhako.exe File created C:\Windows\SysWOW64\Fbkmec32.dll Jmpngk32.exe File created C:\Windows\SysWOW64\Peqcjkfp.exe Pbbgnpgl.exe File created C:\Windows\SysWOW64\Ochpdn32.dll Pnfdcjkg.exe File opened for modification C:\Windows\SysWOW64\Acqimo32.exe Aabmqd32.exe File created C:\Windows\SysWOW64\Dakipgan.dll Kfckahdj.exe File created C:\Windows\SysWOW64\Kboeke32.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Hibljoco.exe Hfcpncdk.exe File opened for modification C:\Windows\SysWOW64\Jfkoeppq.exe Jpaghf32.exe File created C:\Windows\SysWOW64\Mgpjhl32.dll Beeflhdh.exe File created C:\Windows\SysWOW64\Jcioiood.exe Jpnchp32.exe File created C:\Windows\SysWOW64\Fcfhof32.exe Fllpbldb.exe File created C:\Windows\SysWOW64\Hfgefhai.dll Hmcojh32.exe File created C:\Windows\SysWOW64\Klljnp32.exe Kmijbcpl.exe File created C:\Windows\SysWOW64\Paihpaak.dll Fomhdg32.exe File created C:\Windows\SysWOW64\Pqpgdfnp.exe Pmdkch32.exe File created C:\Windows\SysWOW64\Bebblb32.exe Bmkjkd32.exe File created C:\Windows\SysWOW64\Idacmfkj.exe Imgkql32.exe File created C:\Windows\SysWOW64\Akihmf32.dll Kagichjo.exe File created C:\Windows\SysWOW64\Acjoke32.dll Pgjfkg32.exe File created C:\Windows\SysWOW64\Cajcbgml.exe Clnjjpod.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bfkedibe.exe File created C:\Windows\SysWOW64\Cmafhe32.dll Lkdggmlj.exe File created C:\Windows\SysWOW64\Okjbpglo.exe Occkojkm.exe File created C:\Windows\SysWOW64\Jphopllo.dll Lpcfkm32.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mdmnlj32.exe File opened for modification C:\Windows\SysWOW64\Cojjqlpk.exe Chpada32.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Dadeieea.exe File created C:\Windows\SysWOW64\Lgmngglp.exe Lbabgh32.exe File created C:\Windows\SysWOW64\Bjokdipf.exe Bganhm32.exe File created C:\Windows\SysWOW64\Ahoimd32.exe Aealah32.exe File opened for modification C:\Windows\SysWOW64\Beeflhdh.exe Bbgipldd.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bbgipldd.exe File opened for modification C:\Windows\SysWOW64\Boepel32.exe Blfdia32.exe File opened for modification C:\Windows\SysWOW64\Deagdn32.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Ikpaldog.exe Iiaephpc.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Kagichjo.exe Kknafn32.exe File created C:\Windows\SysWOW64\Kpdobeck.dll Mdfofakp.exe File opened for modification C:\Windows\SysWOW64\Mgghhlhq.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Clhkicgk.dll Gofkje32.exe File created C:\Windows\SysWOW64\Edgbbfnk.dll Kpjcdn32.exe File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe Amddjegd.exe File created C:\Windows\SysWOW64\Aabmqd32.exe Andqdh32.exe File opened for modification C:\Windows\SysWOW64\Hfcpncdk.exe Hpihai32.exe File created C:\Windows\SysWOW64\Aqnhjk32.dll Impepm32.exe File created C:\Windows\SysWOW64\Lkdggmlj.exe Lpocjdld.exe File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe Mgghhlhq.exe File created C:\Windows\SysWOW64\Fbnkjc32.dll Kfmepi32.exe File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe Mlhbal32.exe File created C:\Windows\SysWOW64\Kkbljp32.dll Pmannhhj.exe File created C:\Windows\SysWOW64\Lgneampk.exe Laalifad.exe File created C:\Windows\SysWOW64\Nqpego32.exe Nbmelbid.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pkhoae32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11500 11280 WerFault.exe 592 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicplccq.dll" Bhkhibmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll" Mlhbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifjfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll" Ibagcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll" Kilhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njqmepik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kphmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdlbifk.dll" Jcgbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okjbpglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll" Ofnckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcppfaka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idacmfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfioebm.dll" Pnihcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahkobekf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eadopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpjqhgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" Mcbahlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaelmc32.dll" Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdbiedpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfcpncdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" Hibljoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcgbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgnnhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjfkm32.dll" Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kmijbcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpjlklok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlampmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncbknfed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhkicgk.dll" Gofkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hioiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kfoafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnpemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll" Mgfqmfde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll" Hcqjfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll" Jaimbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll" Hfljmdjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leihbeib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll" Jioaqfcc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1576 1404 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 83 PID 1404 wrote to memory of 1576 1404 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 83 PID 1404 wrote to memory of 1576 1404 54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe 83 PID 1576 wrote to memory of 1492 1576 Hpbaqj32.exe 84 PID 1576 wrote to memory of 1492 1576 Hpbaqj32.exe 84 PID 1576 wrote to memory of 1492 1576 Hpbaqj32.exe 84 PID 1492 wrote to memory of 4588 1492 Hbanme32.exe 85 PID 1492 wrote to memory of 4588 1492 Hbanme32.exe 85 PID 1492 wrote to memory of 4588 1492 Hbanme32.exe 85 PID 4588 wrote to memory of 3968 4588 Hfljmdjc.exe 86 PID 4588 wrote to memory of 3968 4588 Hfljmdjc.exe 86 PID 4588 wrote to memory of 3968 4588 Hfljmdjc.exe 86 PID 3968 wrote to memory of 3928 3968 Hmfbjnbp.exe 87 PID 3968 wrote to memory of 3928 3968 Hmfbjnbp.exe 87 PID 3968 wrote to memory of 3928 3968 Hmfbjnbp.exe 87 PID 3928 wrote to memory of 2140 3928 Hcqjfh32.exe 88 PID 3928 wrote to memory of 2140 3928 Hcqjfh32.exe 88 PID 3928 wrote to memory of 2140 3928 Hcqjfh32.exe 88 PID 2140 wrote to memory of 1280 2140 Hjjbcbqj.exe 89 PID 2140 wrote to memory of 1280 2140 Hjjbcbqj.exe 89 PID 2140 wrote to memory of 1280 2140 Hjjbcbqj.exe 89 PID 1280 wrote to memory of 3540 1280 Hadkpm32.exe 90 PID 1280 wrote to memory of 3540 1280 Hadkpm32.exe 90 PID 1280 wrote to memory of 3540 1280 Hadkpm32.exe 90 PID 3540 wrote to memory of 592 3540 Hccglh32.exe 91 PID 3540 wrote to memory of 592 3540 Hccglh32.exe 91 PID 3540 wrote to memory of 592 3540 Hccglh32.exe 91 PID 592 wrote to memory of 2840 592 Hfachc32.exe 92 PID 592 wrote to memory of 2840 592 Hfachc32.exe 92 PID 592 wrote to memory of 2840 592 Hfachc32.exe 92 PID 2840 wrote to memory of 2576 2840 Hmklen32.exe 93 PID 2840 wrote to memory of 2576 2840 Hmklen32.exe 93 PID 2840 wrote to memory of 2576 2840 Hmklen32.exe 93 PID 2576 wrote to memory of 4368 2576 Hpihai32.exe 94 PID 2576 wrote to memory of 4368 2576 Hpihai32.exe 94 PID 2576 wrote to memory of 4368 2576 Hpihai32.exe 94 PID 4368 wrote to memory of 1760 4368 Hfcpncdk.exe 95 PID 4368 wrote to memory of 1760 4368 Hfcpncdk.exe 95 PID 4368 wrote to memory of 1760 4368 Hfcpncdk.exe 95 PID 1760 wrote to memory of 1472 1760 Hibljoco.exe 96 PID 1760 wrote to memory of 1472 1760 Hibljoco.exe 96 PID 1760 wrote to memory of 1472 1760 Hibljoco.exe 96 PID 1472 wrote to memory of 4536 1472 Ipldfi32.exe 97 PID 1472 wrote to memory of 4536 1472 Ipldfi32.exe 97 PID 1472 wrote to memory of 4536 1472 Ipldfi32.exe 97 PID 4536 wrote to memory of 4376 4536 Ibjqcd32.exe 98 PID 4536 wrote to memory of 4376 4536 Ibjqcd32.exe 98 PID 4536 wrote to memory of 4376 4536 Ibjqcd32.exe 98 PID 4376 wrote to memory of 4524 4376 Ijaida32.exe 99 PID 4376 wrote to memory of 4524 4376 Ijaida32.exe 99 PID 4376 wrote to memory of 4524 4376 Ijaida32.exe 99 PID 4524 wrote to memory of 1096 4524 Impepm32.exe 101 PID 4524 wrote to memory of 1096 4524 Impepm32.exe 101 PID 4524 wrote to memory of 1096 4524 Impepm32.exe 101 PID 1096 wrote to memory of 3508 1096 Ipnalhii.exe 102 PID 1096 wrote to memory of 3508 1096 Ipnalhii.exe 102 PID 1096 wrote to memory of 3508 1096 Ipnalhii.exe 102 PID 3508 wrote to memory of 4036 3508 Ibmmhdhm.exe 103 PID 3508 wrote to memory of 4036 3508 Ibmmhdhm.exe 103 PID 3508 wrote to memory of 4036 3508 Ibmmhdhm.exe 103 PID 4036 wrote to memory of 3732 4036 Imbaemhc.exe 104 PID 4036 wrote to memory of 3732 4036 Imbaemhc.exe 104 PID 4036 wrote to memory of 3732 4036 Imbaemhc.exe 104 PID 3732 wrote to memory of 4828 3732 Icljbg32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54141ca06d25e27f7a485b2bc86e66f4ea37f60859bea7b4940bd31b87eb8fc6_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ijaida32.exeC:\Windows\system32\Ijaida32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe24⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe29⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe31⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe32⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe33⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:64 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe37⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe40⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4408 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe43⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe44⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe45⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe48⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe49⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe50⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe51⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe54⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe55⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe56⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe57⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe59⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe62⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe63⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe64⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe65⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe66⤵PID:1976
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe67⤵PID:2012
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe68⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe69⤵
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe70⤵PID:4876
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe71⤵PID:4924
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe72⤵PID:2252
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4200 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe74⤵PID:2724
-
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe75⤵PID:4960
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe76⤵PID:4008
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe78⤵PID:2668
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe80⤵PID:3100
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe81⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe82⤵PID:2728
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe83⤵PID:4364
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe84⤵PID:1192
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe85⤵
- Drops file in System32 directory
PID:4492 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe86⤵
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe87⤵PID:632
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe88⤵PID:2384
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4424 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe90⤵PID:5128
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe91⤵PID:5164
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe92⤵PID:5216
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe93⤵PID:5300
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe94⤵PID:5352
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe95⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe96⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe97⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe98⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe99⤵PID:5572
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe100⤵PID:5612
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe101⤵PID:5660
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe102⤵PID:5704
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe103⤵PID:5744
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe104⤵PID:5788
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe105⤵
- Modifies registry class
PID:5832 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe106⤵PID:5880
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe107⤵PID:5920
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe108⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe109⤵PID:6012
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe110⤵PID:6060
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe111⤵PID:6104
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe112⤵
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe113⤵PID:5200
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe114⤵PID:5280
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe115⤵PID:5340
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe116⤵PID:5420
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe117⤵PID:5468
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe118⤵PID:5568
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe120⤵PID:5700
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe121⤵PID:5752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-