Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 05:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe
-
Size
608KB
-
MD5
5686dd2de1d39d88bd92f67d27e9b570
-
SHA1
ebdd4347dca401bd894db9ebde1236faa39488c6
-
SHA256
88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944
-
SHA512
b3a1d1beaab1a9423116b763156e07e0179b13308c0198c68a9c92f8f5b7152b4633332dc6808b8b9c89d5abe6e65edc72d99d2294cf66c354ea972814d5189f
-
SSDEEP
12288:uNwD2AkY660fIaDZkY660f8jTK/XhdAwlt01t:u5AgsaDZgQjGkwlg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apglgfde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akejdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilgjhena.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bneancnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihgfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedehaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijdfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnekcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhkeelml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoagcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijfihip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fopole32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekjgbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhfhaoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aijfihip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknnil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmckikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlahng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diphbfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffjljmla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkhmadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbeimf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdggofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhljnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihgfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efdmohmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkoojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijadk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofiopaap.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 Dlfejcoe.exe 2796 Dlahng32.exe 2716 Ebcjamoh.exe 2320 Fbjpblip.exe 2192 Fiokbjgn.exe 2464 Gihniioc.exe 2336 Hhbdee32.exe 2008 Iogoec32.exe 1668 Ihfjognl.exe 1692 Jfcqgpfi.exe 2024 Jhffnk32.exe 856 Kgefefnd.exe 1952 Lnhdqdnd.exe 1728 Mamgmofp.exe 2624 Mcnpojca.exe 2840 Ndnlnm32.exe 1256 Npgihn32.exe 2844 Olbchn32.exe 1196 Oemegc32.exe 1788 Pkljdj32.exe 756 Pgckjk32.exe 1976 Pclhdl32.exe 592 Pjfpafmb.exe 2068 Qjhmfekp.exe 2288 Qmifhq32.exe 1932 Afdgfelo.exe 2372 Abkhkgbb.exe 2996 Acqnnndl.exe 2040 Bnhoag32.exe 2556 Bjoofhgc.exe 2552 Bbonei32.exe 2808 Cljodo32.exe 2612 Cdecha32.exe 2680 Cedpbd32.exe 264 Cheido32.exe 2428 Diphbfdi.exe 1180 Edlfhc32.exe 1324 Eapfagno.exe 1864 Eccpoo32.exe 2360 Flqmbd32.exe 2380 Fbmfkkbm.exe 1088 Fbpbpkpj.exe 788 Fkjdopeh.exe 2548 Gjbmelgm.exe 2240 Gfhnjm32.exe 2908 Gcmoda32.exe 340 Gbaken32.exe 1396 Hfpdkl32.exe 336 Hfbaql32.exe 316 Hloiib32.exe 1544 Hnpbjnpo.exe 848 Hhjcic32.exe 876 Iabhah32.exe 2364 Ibfaopoi.exe 1556 Ilofhffj.exe 2644 Iegjqk32.exe 2700 Ihhcbf32.exe 2536 Iigpli32.exe 2512 Jenpajfb.exe 2392 Jdcmbgkj.exe 2144 Jagnlkjd.exe 1296 Jkpbdq32.exe 1780 Jgfcja32.exe 740 Jpogbgmi.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 2972 Dlfejcoe.exe 2972 Dlfejcoe.exe 2796 Dlahng32.exe 2796 Dlahng32.exe 2716 Ebcjamoh.exe 2716 Ebcjamoh.exe 2320 Fbjpblip.exe 2320 Fbjpblip.exe 2192 Fiokbjgn.exe 2192 Fiokbjgn.exe 2464 Gihniioc.exe 2464 Gihniioc.exe 2336 Hhbdee32.exe 2336 Hhbdee32.exe 2008 Iogoec32.exe 2008 Iogoec32.exe 1668 Ihfjognl.exe 1668 Ihfjognl.exe 1692 Jfcqgpfi.exe 1692 Jfcqgpfi.exe 2024 Jhffnk32.exe 2024 Jhffnk32.exe 856 Kgefefnd.exe 856 Kgefefnd.exe 1952 Lnhdqdnd.exe 1952 Lnhdqdnd.exe 1728 Mamgmofp.exe 1728 Mamgmofp.exe 2624 Mcnpojca.exe 2624 Mcnpojca.exe 2840 Ndnlnm32.exe 2840 Ndnlnm32.exe 1256 Npgihn32.exe 1256 Npgihn32.exe 2844 Olbchn32.exe 2844 Olbchn32.exe 1196 Oemegc32.exe 1196 Oemegc32.exe 1788 Pkljdj32.exe 1788 Pkljdj32.exe 756 Pgckjk32.exe 756 Pgckjk32.exe 1976 Pclhdl32.exe 1976 Pclhdl32.exe 592 Pjfpafmb.exe 592 Pjfpafmb.exe 2068 Qjhmfekp.exe 2068 Qjhmfekp.exe 2288 Qmifhq32.exe 2288 Qmifhq32.exe 1932 Afdgfelo.exe 1932 Afdgfelo.exe 2372 Abkhkgbb.exe 2372 Abkhkgbb.exe 2996 Acqnnndl.exe 2996 Acqnnndl.exe 2040 Bnhoag32.exe 2040 Bnhoag32.exe 2556 Bjoofhgc.exe 2556 Bjoofhgc.exe 2552 Bbonei32.exe 2552 Bbonei32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jfnaok32.exe Jijqeg32.exe File opened for modification C:\Windows\SysWOW64\Kmdbkbpn.exe Kpqaanqd.exe File created C:\Windows\SysWOW64\Ifkedenn.dll Fbjpblip.exe File created C:\Windows\SysWOW64\Apofpf32.dll Pkljdj32.exe File created C:\Windows\SysWOW64\Dmmmfc32.exe Dhpemm32.exe File opened for modification C:\Windows\SysWOW64\Mldgbcoe.exe Mpngmb32.exe File created C:\Windows\SysWOW64\Ndagjbio.dll Lobbpg32.exe File opened for modification C:\Windows\SysWOW64\Mdgkjopd.exe Mdendpbg.exe File opened for modification C:\Windows\SysWOW64\Fcdbcloi.exe Enenef32.exe File created C:\Windows\SysWOW64\Dhniof32.dll Gkgbioee.exe File created C:\Windows\SysWOW64\Cejnde32.dll Hnimeg32.exe File created C:\Windows\SysWOW64\Imnaimag.dll Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Eakjophb.exe Enjand32.exe File created C:\Windows\SysWOW64\Iqdbqp32.exe Ifoncgpc.exe File created C:\Windows\SysWOW64\Mmabiedh.dll Obpbhk32.exe File created C:\Windows\SysWOW64\Ihfjognl.exe Iogoec32.exe File created C:\Windows\SysWOW64\Fpocbfnp.dll Agccbenc.exe File created C:\Windows\SysWOW64\Feiaknmg.exe Fjaqhe32.exe File created C:\Windows\SysWOW64\Klbdig32.dll Nnjlhg32.exe File created C:\Windows\SysWOW64\Jcajlbce.dll Bqopmbed.exe File created C:\Windows\SysWOW64\Hjchpk32.dll Bgichoqj.exe File created C:\Windows\SysWOW64\Aagadh32.exe Apheke32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Mljnaocd.exe Lenioenj.exe File created C:\Windows\SysWOW64\Gcljdpke.exe Gfhikl32.exe File created C:\Windows\SysWOW64\Ghdehmnj.dll Hkpaoape.exe File created C:\Windows\SysWOW64\Pldknmhd.exe Omonmpcm.exe File opened for modification C:\Windows\SysWOW64\Lkccob32.exe Lpnobi32.exe File opened for modification C:\Windows\SysWOW64\Elcpbigl.exe Ebklic32.exe File created C:\Windows\SysWOW64\Paafmp32.exe Omcngamh.exe File opened for modification C:\Windows\SysWOW64\Cmgpcg32.exe Cfmhfm32.exe File opened for modification C:\Windows\SysWOW64\Eigpmjqg.exe Ecjkkp32.exe File created C:\Windows\SysWOW64\Oddmokoo.exe Ojlife32.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Camnge32.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jmejmm32.exe File created C:\Windows\SysWOW64\Hkfgnldd.exe Hkdkhl32.exe File opened for modification C:\Windows\SysWOW64\Legcjjjm.exe Lgbfin32.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Oemegc32.exe File created C:\Windows\SysWOW64\Henjfpgi.dll Mmbmeifk.exe File created C:\Windows\SysWOW64\Bgoime32.exe Akfkbd32.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Kpieengb.exe File created C:\Windows\SysWOW64\Kjoolbcg.dll Qjfalj32.exe File created C:\Windows\SysWOW64\Ekjgbi32.exe Ehinpnpm.exe File created C:\Windows\SysWOW64\Lgaahp32.dll Ggqamh32.exe File opened for modification C:\Windows\SysWOW64\Hlijan32.exe Hcohbh32.exe File created C:\Windows\SysWOW64\Hgpjhn32.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Gknfqppk.dll Phaoppja.exe File created C:\Windows\SysWOW64\Enhaeldn.exe Efjpkj32.exe File opened for modification C:\Windows\SysWOW64\Nahfkigd.exe Nddeae32.exe File created C:\Windows\SysWOW64\Oaomng32.dll Efhenccl.exe File created C:\Windows\SysWOW64\Hfanjcke.exe Hlijan32.exe File created C:\Windows\SysWOW64\Gnnfllod.dll Kbmafngi.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Aknnil32.exe File created C:\Windows\SysWOW64\Jcgmedpl.dll Bcpiombe.exe File created C:\Windows\SysWOW64\Iqgaenpf.dll Hkdkhl32.exe File created C:\Windows\SysWOW64\Anlbpigi.dll Chfffk32.exe File created C:\Windows\SysWOW64\Moomgmpm.exe Medligko.exe File opened for modification C:\Windows\SysWOW64\Hkgjge32.exe Hdmajkdl.exe File created C:\Windows\SysWOW64\Hjhobagi.dll Ckmpkpbl.exe File opened for modification C:\Windows\SysWOW64\Ephdjeol.exe Efppqoil.exe File created C:\Windows\SysWOW64\Amjiln32.exe Amglgn32.exe File created C:\Windows\SysWOW64\Chehgk32.dll Enenef32.exe File created C:\Windows\SysWOW64\Minldf32.exe Lpqnpacp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njbnon32.dll" Kdjceb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfmhfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofledji.dll" Ollncgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Debadpeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbqhmkhq.dll" Choejien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" Lkepdbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjdohaf.dll" Fkldgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhikhefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpohfljj.dll" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejiehfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjifpdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gachcl32.dll" Imaglc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kofaicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djicmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qccnpi32.dll" Floeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajpndmp.dll" Eelgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akjham32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pghfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggcnbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhkclc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maiqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chhpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammgib32.dll" Pfoanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnqjnhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llolnffe.dll" Adleoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbokplfi.dll" Egikle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldingm32.dll" Hahoodqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hehafe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdedod32.dll" Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkiakec.dll" Edhpaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfpdl32.dll" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpmcielb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blobmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnjipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iegjqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchdgl32.dll" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmejmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mifmoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaadjm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2972 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2972 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2972 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2972 2268 88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe 28 PID 2972 wrote to memory of 2796 2972 Dlfejcoe.exe 29 PID 2972 wrote to memory of 2796 2972 Dlfejcoe.exe 29 PID 2972 wrote to memory of 2796 2972 Dlfejcoe.exe 29 PID 2972 wrote to memory of 2796 2972 Dlfejcoe.exe 29 PID 2796 wrote to memory of 2716 2796 Dlahng32.exe 30 PID 2796 wrote to memory of 2716 2796 Dlahng32.exe 30 PID 2796 wrote to memory of 2716 2796 Dlahng32.exe 30 PID 2796 wrote to memory of 2716 2796 Dlahng32.exe 30 PID 2716 wrote to memory of 2320 2716 Ebcjamoh.exe 31 PID 2716 wrote to memory of 2320 2716 Ebcjamoh.exe 31 PID 2716 wrote to memory of 2320 2716 Ebcjamoh.exe 31 PID 2716 wrote to memory of 2320 2716 Ebcjamoh.exe 31 PID 2320 wrote to memory of 2192 2320 Fbjpblip.exe 32 PID 2320 wrote to memory of 2192 2320 Fbjpblip.exe 32 PID 2320 wrote to memory of 2192 2320 Fbjpblip.exe 32 PID 2320 wrote to memory of 2192 2320 Fbjpblip.exe 32 PID 2192 wrote to memory of 2464 2192 Fiokbjgn.exe 33 PID 2192 wrote to memory of 2464 2192 Fiokbjgn.exe 33 PID 2192 wrote to memory of 2464 2192 Fiokbjgn.exe 33 PID 2192 wrote to memory of 2464 2192 Fiokbjgn.exe 33 PID 2464 wrote to memory of 2336 2464 Gihniioc.exe 34 PID 2464 wrote to memory of 2336 2464 Gihniioc.exe 34 PID 2464 wrote to memory of 2336 2464 Gihniioc.exe 34 PID 2464 wrote to memory of 2336 2464 Gihniioc.exe 34 PID 2336 wrote to memory of 2008 2336 Hhbdee32.exe 35 PID 2336 wrote to memory of 2008 2336 Hhbdee32.exe 35 PID 2336 wrote to memory of 2008 2336 Hhbdee32.exe 35 PID 2336 wrote to memory of 2008 2336 Hhbdee32.exe 35 PID 2008 wrote to memory of 1668 2008 Iogoec32.exe 36 PID 2008 wrote to memory of 1668 2008 Iogoec32.exe 36 PID 2008 wrote to memory of 1668 2008 Iogoec32.exe 36 PID 2008 wrote to memory of 1668 2008 Iogoec32.exe 36 PID 1668 wrote to memory of 1692 1668 Ihfjognl.exe 37 PID 1668 wrote to memory of 1692 1668 Ihfjognl.exe 37 PID 1668 wrote to memory of 1692 1668 Ihfjognl.exe 37 PID 1668 wrote to memory of 1692 1668 Ihfjognl.exe 37 PID 1692 wrote to memory of 2024 1692 Jfcqgpfi.exe 38 PID 1692 wrote to memory of 2024 1692 Jfcqgpfi.exe 38 PID 1692 wrote to memory of 2024 1692 Jfcqgpfi.exe 38 PID 1692 wrote to memory of 2024 1692 Jfcqgpfi.exe 38 PID 2024 wrote to memory of 856 2024 Jhffnk32.exe 39 PID 2024 wrote to memory of 856 2024 Jhffnk32.exe 39 PID 2024 wrote to memory of 856 2024 Jhffnk32.exe 39 PID 2024 wrote to memory of 856 2024 Jhffnk32.exe 39 PID 856 wrote to memory of 1952 856 Kgefefnd.exe 40 PID 856 wrote to memory of 1952 856 Kgefefnd.exe 40 PID 856 wrote to memory of 1952 856 Kgefefnd.exe 40 PID 856 wrote to memory of 1952 856 Kgefefnd.exe 40 PID 1952 wrote to memory of 1728 1952 Lnhdqdnd.exe 41 PID 1952 wrote to memory of 1728 1952 Lnhdqdnd.exe 41 PID 1952 wrote to memory of 1728 1952 Lnhdqdnd.exe 41 PID 1952 wrote to memory of 1728 1952 Lnhdqdnd.exe 41 PID 1728 wrote to memory of 2624 1728 Mamgmofp.exe 42 PID 1728 wrote to memory of 2624 1728 Mamgmofp.exe 42 PID 1728 wrote to memory of 2624 1728 Mamgmofp.exe 42 PID 1728 wrote to memory of 2624 1728 Mamgmofp.exe 42 PID 2624 wrote to memory of 2840 2624 Mcnpojca.exe 43 PID 2624 wrote to memory of 2840 2624 Mcnpojca.exe 43 PID 2624 wrote to memory of 2840 2624 Mcnpojca.exe 43 PID 2624 wrote to memory of 2840 2624 Mcnpojca.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\88ae4280f57d947d44be7d8374a5f3a19e15c504af532e3c2dc31351f3882944_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe33⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe35⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe36⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe38⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe39⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe40⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe41⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe42⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe43⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe44⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe45⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe46⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe47⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe48⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe49⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe50⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe53⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe54⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe55⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe56⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe58⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe59⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe60⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe61⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe62⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe63⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe64⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe65⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe66⤵PID:2880
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe67⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe68⤵PID:2080
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe69⤵PID:564
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe72⤵PID:620
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe73⤵PID:2420
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe75⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe76⤵PID:2168
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe77⤵PID:1168
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe79⤵PID:2452
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe81⤵PID:2904
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe82⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe83⤵PID:2112
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe85⤵PID:2348
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe86⤵PID:2188
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe87⤵PID:2792
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe89⤵PID:1712
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe90⤵PID:676
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe91⤵PID:1276
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe92⤵PID:2376
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe93⤵PID:1992
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe94⤵PID:1508
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe95⤵PID:2964
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe96⤵PID:2960
-
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe97⤵PID:2628
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe98⤵PID:2784
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe99⤵PID:1716
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe100⤵PID:1152
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe101⤵PID:1880
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe102⤵PID:1720
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe103⤵PID:1160
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe104⤵PID:744
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe105⤵PID:280
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:428 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe107⤵PID:1488
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe108⤵PID:1504
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe110⤵PID:2116
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe111⤵PID:2724
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe113⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe114⤵PID:1960
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe115⤵PID:1192
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe116⤵PID:1872
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe117⤵PID:2396
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe119⤵PID:2072
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe120⤵PID:2232
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-