Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe
-
Size
488KB
-
MD5
c05ec7f72f0f54dd355fdaf6282e8960
-
SHA1
f8b04cc2ea8c4ceab0ecbc2e900712d7077de83d
-
SHA256
4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79
-
SHA512
d69d5319ce6c67276634dd9ef2a97fb4ef0f359385944cb2ab0b9e178e98d19d2739bb748cf99e4f83eac07265b1ef38865c01bd9657125b5beb139efcbead8e
-
SSDEEP
6144:Ha+5alUSfoEon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uon2KO:mlbwNIVyeNIVy2oIvPKiKO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncdgcqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdonb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfobbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekdekin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmkfei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagcpljo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe -
Executes dropped EXE 64 IoCs
pid Process 2176 Hoakolod.exe 2020 Hjkkojlc.exe 2704 Imkdqe32.exe 2524 Inkakhpg.exe 3052 Impnldeo.exe 2536 Imbkadcl.exe 2340 Iiikfehq.exe 2820 Jilhldfn.exe 2876 Jebiaelb.exe 1276 Jjoailji.exe 2576 Jcgfbb32.exe 2556 Jgenhp32.exe 2052 Jiigehkl.exe 2792 Kappfeln.exe 2148 Kllmmc32.exe 928 Knjiin32.exe 780 Klqfhbbe.exe 688 Koocdnai.exe 2348 Kbkodl32.exe 1780 Llccmb32.exe 1036 Laplei32.exe 1300 Ldnhad32.exe 1836 Lodlom32.exe 2376 Labhkh32.exe 2488 Lmiipi32.exe 2908 Ladeqhjd.exe 1588 Lipjejgp.exe 1712 Lmkfei32.exe 2128 Ldenbcge.exe 2924 Lchnnp32.exe 2096 Mcjkcplm.exe 2520 Midcpj32.exe 2192 Mekdekin.exe 3012 Migpeiag.exe 2880 Mochnppo.exe 3020 Menakj32.exe 1508 Mdqafgnf.exe 1860 Mkjica32.exe 1432 Mepnpj32.exe 1996 Mkmfhacp.exe 2616 Mhqfbebj.exe 2948 Mgcgmb32.exe 320 Njbcim32.exe 2416 Nnnojlpa.exe 1532 Ndgggf32.exe 1044 Ngfcca32.exe 1032 Nnplpl32.exe 744 Nlblkhei.exe 2360 Ncmdhb32.exe 1948 Nfkpdn32.exe 2916 Nnbhek32.exe 884 Nqqdag32.exe 2720 Ncoamb32.exe 2644 Nfmmin32.exe 2836 Nlgefh32.exe 2512 Nofabc32.exe 3008 Nfpjomgd.exe 1804 Nmjblg32.exe 2168 Nohnhc32.exe 1188 Nbfjdn32.exe 2100 Ohqbqhde.exe 860 Oojknblb.exe 2496 Obigjnkf.exe 2032 Odgcfijj.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 2176 Hoakolod.exe 2176 Hoakolod.exe 2020 Hjkkojlc.exe 2020 Hjkkojlc.exe 2704 Imkdqe32.exe 2704 Imkdqe32.exe 2524 Inkakhpg.exe 2524 Inkakhpg.exe 3052 Impnldeo.exe 3052 Impnldeo.exe 2536 Imbkadcl.exe 2536 Imbkadcl.exe 2340 Iiikfehq.exe 2340 Iiikfehq.exe 2820 Jilhldfn.exe 2820 Jilhldfn.exe 2876 Jebiaelb.exe 2876 Jebiaelb.exe 1276 Jjoailji.exe 1276 Jjoailji.exe 2576 Jcgfbb32.exe 2576 Jcgfbb32.exe 2556 Jgenhp32.exe 2556 Jgenhp32.exe 2052 Jiigehkl.exe 2052 Jiigehkl.exe 2792 Kappfeln.exe 2792 Kappfeln.exe 2148 Kllmmc32.exe 2148 Kllmmc32.exe 928 Knjiin32.exe 928 Knjiin32.exe 780 Klqfhbbe.exe 780 Klqfhbbe.exe 688 Koocdnai.exe 688 Koocdnai.exe 2348 Kbkodl32.exe 2348 Kbkodl32.exe 1780 Llccmb32.exe 1780 Llccmb32.exe 1036 Laplei32.exe 1036 Laplei32.exe 1300 Ldnhad32.exe 1300 Ldnhad32.exe 1836 Lodlom32.exe 1836 Lodlom32.exe 2376 Labhkh32.exe 2376 Labhkh32.exe 2488 Lmiipi32.exe 2488 Lmiipi32.exe 2908 Ladeqhjd.exe 2908 Ladeqhjd.exe 1588 Lipjejgp.exe 1588 Lipjejgp.exe 1712 Lmkfei32.exe 1712 Lmkfei32.exe 2128 Ldenbcge.exe 2128 Ldenbcge.exe 2924 Lchnnp32.exe 2924 Lchnnp32.exe 2096 Mcjkcplm.exe 2096 Mcjkcplm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Inkaippf.dll Ofhick32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jgagfi32.exe File opened for modification C:\Windows\SysWOW64\Koocdnai.exe Klqfhbbe.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Peiljl32.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Aghcamqb.dll Fikejl32.exe File created C:\Windows\SysWOW64\Gallbqdi.dll Fnhnbb32.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nlphkb32.exe File opened for modification C:\Windows\SysWOW64\Ndpfkdmf.exe Nnennj32.exe File created C:\Windows\SysWOW64\Odobjg32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Bldcpf32.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Nfgegdkp.dll 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ppqqbdml.dll Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Copfbfjj.exe Claifkkf.exe File created C:\Windows\SysWOW64\Lopekk32.dll Enihne32.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Leimip32.exe File created C:\Windows\SysWOW64\Joifam32.exe Jiondcpk.exe File opened for modification C:\Windows\SysWOW64\Pmqdkj32.exe Peiljl32.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Bpgljfbl.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Hgmalg32.exe Hapicp32.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Ebinic32.exe File created C:\Windows\SysWOW64\Iqapllgh.dll Gpqpjj32.exe File created C:\Windows\SysWOW64\Pccobp32.dll Aepojo32.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Jkoplhip.exe Jqilooij.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Admemg32.exe File opened for modification C:\Windows\SysWOW64\Aplifb32.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Pmnafl32.dll Kifpdelo.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oqideepg.exe File created C:\Windows\SysWOW64\Aplifb32.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Eccmffjf.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Legmbd32.exe File created C:\Windows\SysWOW64\Ocomlemo.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Obkdonic.exe Onphoo32.exe File opened for modification C:\Windows\SysWOW64\Apcfahio.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Cpinomjo.dll Ffklhqao.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kahojc32.exe File created C:\Windows\SysWOW64\Kpmlkp32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Afcenm32.exe Apimacnn.exe File created C:\Windows\SysWOW64\Afdignjb.dll Ndemjoae.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Omeope32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Nblihc32.dll Hmfjha32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Cdcngb32.dll Jiigehkl.exe File created C:\Windows\SysWOW64\Peinaf32.dll Ndgggf32.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Idfbkq32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Joliff32.dll Dlgldibq.exe File created C:\Windows\SysWOW64\Llccmb32.exe Kbkodl32.exe File created C:\Windows\SysWOW64\Nfkpdn32.exe Ncmdhb32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Pndniaop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5224 5284 WerFault.exe 552 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpnhgek.dll" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfliqila.dll" Migpeiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkgjhfn.dll" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmnjfia.dll" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihicd32.dll" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqahbgm.dll" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdadnkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inifnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Idklfpon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mencccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebiaelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhccbfb.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefhhbef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2176 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 28 PID 1680 wrote to memory of 2176 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 28 PID 1680 wrote to memory of 2176 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 28 PID 1680 wrote to memory of 2176 1680 4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2020 2176 Hoakolod.exe 29 PID 2176 wrote to memory of 2020 2176 Hoakolod.exe 29 PID 2176 wrote to memory of 2020 2176 Hoakolod.exe 29 PID 2176 wrote to memory of 2020 2176 Hoakolod.exe 29 PID 2020 wrote to memory of 2704 2020 Hjkkojlc.exe 30 PID 2020 wrote to memory of 2704 2020 Hjkkojlc.exe 30 PID 2020 wrote to memory of 2704 2020 Hjkkojlc.exe 30 PID 2020 wrote to memory of 2704 2020 Hjkkojlc.exe 30 PID 2704 wrote to memory of 2524 2704 Imkdqe32.exe 31 PID 2704 wrote to memory of 2524 2704 Imkdqe32.exe 31 PID 2704 wrote to memory of 2524 2704 Imkdqe32.exe 31 PID 2704 wrote to memory of 2524 2704 Imkdqe32.exe 31 PID 2524 wrote to memory of 3052 2524 Inkakhpg.exe 32 PID 2524 wrote to memory of 3052 2524 Inkakhpg.exe 32 PID 2524 wrote to memory of 3052 2524 Inkakhpg.exe 32 PID 2524 wrote to memory of 3052 2524 Inkakhpg.exe 32 PID 3052 wrote to memory of 2536 3052 Impnldeo.exe 33 PID 3052 wrote to memory of 2536 3052 Impnldeo.exe 33 PID 3052 wrote to memory of 2536 3052 Impnldeo.exe 33 PID 3052 wrote to memory of 2536 3052 Impnldeo.exe 33 PID 2536 wrote to memory of 2340 2536 Imbkadcl.exe 34 PID 2536 wrote to memory of 2340 2536 Imbkadcl.exe 34 PID 2536 wrote to memory of 2340 2536 Imbkadcl.exe 34 PID 2536 wrote to memory of 2340 2536 Imbkadcl.exe 34 PID 2340 wrote to memory of 2820 2340 Iiikfehq.exe 35 PID 2340 wrote to memory of 2820 2340 Iiikfehq.exe 35 PID 2340 wrote to memory of 2820 2340 Iiikfehq.exe 35 PID 2340 wrote to memory of 2820 2340 Iiikfehq.exe 35 PID 2820 wrote to memory of 2876 2820 Jilhldfn.exe 36 PID 2820 wrote to memory of 2876 2820 Jilhldfn.exe 36 PID 2820 wrote to memory of 2876 2820 Jilhldfn.exe 36 PID 2820 wrote to memory of 2876 2820 Jilhldfn.exe 36 PID 2876 wrote to memory of 1276 2876 Jebiaelb.exe 37 PID 2876 wrote to memory of 1276 2876 Jebiaelb.exe 37 PID 2876 wrote to memory of 1276 2876 Jebiaelb.exe 37 PID 2876 wrote to memory of 1276 2876 Jebiaelb.exe 37 PID 1276 wrote to memory of 2576 1276 Jjoailji.exe 38 PID 1276 wrote to memory of 2576 1276 Jjoailji.exe 38 PID 1276 wrote to memory of 2576 1276 Jjoailji.exe 38 PID 1276 wrote to memory of 2576 1276 Jjoailji.exe 38 PID 2576 wrote to memory of 2556 2576 Jcgfbb32.exe 39 PID 2576 wrote to memory of 2556 2576 Jcgfbb32.exe 39 PID 2576 wrote to memory of 2556 2576 Jcgfbb32.exe 39 PID 2576 wrote to memory of 2556 2576 Jcgfbb32.exe 39 PID 2556 wrote to memory of 2052 2556 Jgenhp32.exe 40 PID 2556 wrote to memory of 2052 2556 Jgenhp32.exe 40 PID 2556 wrote to memory of 2052 2556 Jgenhp32.exe 40 PID 2556 wrote to memory of 2052 2556 Jgenhp32.exe 40 PID 2052 wrote to memory of 2792 2052 Jiigehkl.exe 41 PID 2052 wrote to memory of 2792 2052 Jiigehkl.exe 41 PID 2052 wrote to memory of 2792 2052 Jiigehkl.exe 41 PID 2052 wrote to memory of 2792 2052 Jiigehkl.exe 41 PID 2792 wrote to memory of 2148 2792 Kappfeln.exe 42 PID 2792 wrote to memory of 2148 2792 Kappfeln.exe 42 PID 2792 wrote to memory of 2148 2792 Kappfeln.exe 42 PID 2792 wrote to memory of 2148 2792 Kappfeln.exe 42 PID 2148 wrote to memory of 928 2148 Kllmmc32.exe 43 PID 2148 wrote to memory of 928 2148 Kllmmc32.exe 43 PID 2148 wrote to memory of 928 2148 Kllmmc32.exe 43 PID 2148 wrote to memory of 928 2148 Kllmmc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4bb55ef2427fdab8e140f592f29430dce44e1ce5c898da596fb64a9cfa086d79_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Impnldeo.exeC:\Windows\system32\Impnldeo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe37⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe38⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe39⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe40⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe41⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe42⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe43⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe44⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe45⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe47⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe48⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe49⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe51⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe52⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe53⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe57⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe58⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe59⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe61⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe63⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe64⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe65⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe66⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe67⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe68⤵PID:1312
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:548 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe72⤵PID:1636
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe73⤵PID:2988
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe74⤵PID:2920
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe75⤵PID:2632
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe76⤵PID:3000
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe77⤵PID:2852
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe78⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe79⤵PID:1420
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe80⤵PID:1296
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe81⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe82⤵PID:1820
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe83⤵PID:2268
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe85⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe86⤵PID:1736
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe87⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe88⤵PID:3060
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe89⤵PID:2712
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe90⤵PID:2196
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe91⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe92⤵PID:3004
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe93⤵PID:1660
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe94⤵PID:316
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe95⤵PID:604
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe96⤵PID:1476
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe97⤵PID:2164
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe99⤵PID:1596
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe100⤵PID:2324
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe101⤵PID:2420
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe103⤵PID:2648
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe105⤵PID:2584
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe106⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe107⤵PID:1620
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe108⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe109⤵PID:2940
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe110⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe111⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe112⤵PID:832
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe114⤵PID:3068
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe116⤵PID:2016
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe117⤵PID:888
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe119⤵PID:2572
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-