Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 01:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe
-
Size
128KB
-
MD5
a0a1789bad9852b0791ea557a3926ba0
-
SHA1
7fbefe18ca79e9360792dd11c64bd2ff96f5df7d
-
SHA256
425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b
-
SHA512
f5a980dbaf6af823af176c6328898a014425fe90e3f347c150e844cedccc5aefcf0f517cfc414c413e005ba19a6a1159e1ac0a947c7dc18bad5862113c300f34
-
SSDEEP
3072:voKJbcpRbvn5Kc1h8UzdH13+EE+RaZ6r+GDZnr:zbyRbv591yUzd5IF6rfBr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgjfek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makjho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaedd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cikbhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocpkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpicodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckdlnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmomml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioliqbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfaifaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiepced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhneehek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1196 Hpkjko32.exe 3016 Hgdbhi32.exe 2656 Hkpnhgge.exe 2772 Hckcmjep.exe 2528 Hiekid32.exe 2496 Hnagjbdf.exe 2940 Hpocfncj.exe 1296 Hcnpbi32.exe 2820 Hellne32.exe 1236 Hhjhkq32.exe 1028 Hpapln32.exe 1924 Hcplhi32.exe 348 Henidd32.exe 588 Hhmepp32.exe 856 Hkkalk32.exe 2316 Hogmmjfo.exe 2268 Idceea32.exe 2880 Ilknfn32.exe 1852 Iknnbklc.exe 2460 Inljnfkg.exe 1096 Inljnfkg.exe 1288 Ifcbodli.exe 1772 Idfbkq32.exe 1596 Ihankokm.exe 552 Ikpjgkjq.exe 2128 Inngcfid.exe 2440 Iqmcpahh.exe 2696 Ihdkao32.exe 2080 Iggkllpe.exe 2648 Ikbgmj32.exe 2524 Inqcif32.exe 2628 Iblpjdpk.exe 2960 Ikddbj32.exe 2604 Ijgdngmf.exe 1600 Iqalka32.exe 2240 Icpigm32.exe 1944 Jjjacf32.exe 2840 Jnemdecl.exe 2236 Jqdipqbp.exe 1316 Jcbellac.exe 1496 Jfqahgpg.exe 2416 Jjlnif32.exe 2792 Jqfffqpm.exe 3048 Jfcnngnd.exe 1524 Jiakjb32.exe 996 Jmmfkafa.exe 1828 Jcgogk32.exe 2012 Jfekcg32.exe 2308 Jehkodcm.exe 2652 Jicgpb32.exe 2216 Jkbcln32.exe 2508 Jonplmcb.exe 2500 Jbllihbf.exe 1716 Jejhecaj.exe 1780 Jifdebic.exe 2036 Jkdpanhg.exe 2672 Joplbl32.exe 532 Jbnhng32.exe 1608 Kaaijdgn.exe 2556 Kemejc32.exe 2676 Kkgmgmfd.exe 2568 Kjjmbj32.exe 592 Kbqecg32.exe 1664 Kaceodek.exe -
Loads dropped DLL 64 IoCs
pid Process 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 1196 Hpkjko32.exe 1196 Hpkjko32.exe 3016 Hgdbhi32.exe 3016 Hgdbhi32.exe 2656 Hkpnhgge.exe 2656 Hkpnhgge.exe 2772 Hckcmjep.exe 2772 Hckcmjep.exe 2528 Hiekid32.exe 2528 Hiekid32.exe 2496 Hnagjbdf.exe 2496 Hnagjbdf.exe 2940 Hpocfncj.exe 2940 Hpocfncj.exe 1296 Hcnpbi32.exe 1296 Hcnpbi32.exe 2820 Hellne32.exe 2820 Hellne32.exe 1236 Hhjhkq32.exe 1236 Hhjhkq32.exe 1028 Hpapln32.exe 1028 Hpapln32.exe 1924 Hcplhi32.exe 1924 Hcplhi32.exe 348 Henidd32.exe 348 Henidd32.exe 588 Hhmepp32.exe 588 Hhmepp32.exe 856 Hkkalk32.exe 856 Hkkalk32.exe 2316 Hogmmjfo.exe 2316 Hogmmjfo.exe 2268 Idceea32.exe 2268 Idceea32.exe 2880 Ilknfn32.exe 2880 Ilknfn32.exe 1852 Iknnbklc.exe 1852 Iknnbklc.exe 2460 Inljnfkg.exe 2460 Inljnfkg.exe 1096 Inljnfkg.exe 1096 Inljnfkg.exe 1288 Ifcbodli.exe 1288 Ifcbodli.exe 1772 Idfbkq32.exe 1772 Idfbkq32.exe 1596 Ihankokm.exe 1596 Ihankokm.exe 552 Ikpjgkjq.exe 552 Ikpjgkjq.exe 2128 Inngcfid.exe 2128 Inngcfid.exe 2440 Iqmcpahh.exe 2440 Iqmcpahh.exe 2696 Ihdkao32.exe 2696 Ihdkao32.exe 2080 Iggkllpe.exe 2080 Iggkllpe.exe 2648 Ikbgmj32.exe 2648 Ikbgmj32.exe 2524 Inqcif32.exe 2524 Inqcif32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Process not Found File created C:\Windows\SysWOW64\Ifpcchai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Pdmnam32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbqbaofc.exe Gnefapmj.exe File created C:\Windows\SysWOW64\Oecmogln.exe Process not Found File created C:\Windows\SysWOW64\Imbiaa32.dll Migbnb32.exe File opened for modification C:\Windows\SysWOW64\Obgkpb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ilnomp32.exe Process not Found File created C:\Windows\SysWOW64\Hnnhngjf.exe Process not Found File created C:\Windows\SysWOW64\Dkpnde32.dll Process not Found File created C:\Windows\SysWOW64\Egjbkk32.dll Lollckbk.exe File created C:\Windows\SysWOW64\Pqemdbaj.exe Pngphgbf.exe File opened for modification C:\Windows\SysWOW64\Peanbblf.exe Pohfehdi.exe File created C:\Windows\SysWOW64\Injqmdki.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbaileio.exe Gpcmpijk.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Process not Found File created C:\Windows\SysWOW64\Bhonjg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ecploipa.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjpcbe32.exe Jkmcfhkc.exe File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ikgkei32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Omfkke32.exe File created C:\Windows\SysWOW64\Kqknil32.exe Kmobhmnn.exe File created C:\Windows\SysWOW64\Lpedeg32.exe Lmfhil32.exe File created C:\Windows\SysWOW64\Meppiblm.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Chqoipkk.exe Cebcmdlg.exe File created C:\Windows\SysWOW64\Fmlbjq32.exe Process not Found File created C:\Windows\SysWOW64\Nnjicjbf.exe Process not Found File created C:\Windows\SysWOW64\Pcefke32.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Caphpgkj.dll Process not Found File created C:\Windows\SysWOW64\Ecfnmh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gqaafn32.exe Process not Found File created C:\Windows\SysWOW64\Iennnogo.dll Process not Found File created C:\Windows\SysWOW64\Pqbolhmg.dll Process not Found File created C:\Windows\SysWOW64\Laqojfli.exe Process not Found File created C:\Windows\SysWOW64\Daekko32.dll Oancnfoe.exe File opened for modification C:\Windows\SysWOW64\Oiakgcnl.exe Ogcnkgoh.exe File created C:\Windows\SysWOW64\Bcebdq32.dll Dbojdmcd.exe File created C:\Windows\SysWOW64\Loeccoai.dll Process not Found File created C:\Windows\SysWOW64\Bemkcnno.dll Dddfdejn.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Process not Found File created C:\Windows\SysWOW64\Fepiimfg.exe Fadminnn.exe File created C:\Windows\SysWOW64\Eiahmmdf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qnebjc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Knhjjj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ledibnco.exe Lnjafd32.exe File created C:\Windows\SysWOW64\Noejib32.dll Ckahkk32.exe File opened for modification C:\Windows\SysWOW64\Hedocp32.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Lnhdqdnd.exe Lpedeg32.exe File created C:\Windows\SysWOW64\Gmkkhgfk.dll Fjjnan32.exe File created C:\Windows\SysWOW64\Aaheie32.exe Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Knekla32.exe Kkgopf32.exe File opened for modification C:\Windows\SysWOW64\Ajeeeblb.exe Process not Found File created C:\Windows\SysWOW64\Ioliqbjn.exe Ilnmdgkj.exe File opened for modification C:\Windows\SysWOW64\Befmfpbi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Copjdhib.exe Process not Found File created C:\Windows\SysWOW64\Ibfmmb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Odlojanh.exe Oancnfoe.exe File opened for modification C:\Windows\SysWOW64\Pndpajgd.exe Pkfceo32.exe File created C:\Windows\SysWOW64\Pglabp32.dll Process not Found File created C:\Windows\SysWOW64\Ijlhmj32.dll Moiklogi.exe File created C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5156 5936 Process not Found 2112 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ginnnooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfnjifg.dll" Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niehmp32.dll" Cejphiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pojbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbfhbeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnojacgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldlqakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefamlak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqncakcq.dll" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll" Ilcmjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflkbagk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mljgjbmc.dll" Jnhlbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgjednf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipcibkff.dll" Ekcaonhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgcbd32.dll" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglfle32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nebhgckp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaldcb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1196 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 1196 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 1196 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 1196 1264 425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe 28 PID 1196 wrote to memory of 3016 1196 Hpkjko32.exe 29 PID 1196 wrote to memory of 3016 1196 Hpkjko32.exe 29 PID 1196 wrote to memory of 3016 1196 Hpkjko32.exe 29 PID 1196 wrote to memory of 3016 1196 Hpkjko32.exe 29 PID 3016 wrote to memory of 2656 3016 Hgdbhi32.exe 30 PID 3016 wrote to memory of 2656 3016 Hgdbhi32.exe 30 PID 3016 wrote to memory of 2656 3016 Hgdbhi32.exe 30 PID 3016 wrote to memory of 2656 3016 Hgdbhi32.exe 30 PID 2656 wrote to memory of 2772 2656 Hkpnhgge.exe 31 PID 2656 wrote to memory of 2772 2656 Hkpnhgge.exe 31 PID 2656 wrote to memory of 2772 2656 Hkpnhgge.exe 31 PID 2656 wrote to memory of 2772 2656 Hkpnhgge.exe 31 PID 2772 wrote to memory of 2528 2772 Hckcmjep.exe 32 PID 2772 wrote to memory of 2528 2772 Hckcmjep.exe 32 PID 2772 wrote to memory of 2528 2772 Hckcmjep.exe 32 PID 2772 wrote to memory of 2528 2772 Hckcmjep.exe 32 PID 2528 wrote to memory of 2496 2528 Hiekid32.exe 33 PID 2528 wrote to memory of 2496 2528 Hiekid32.exe 33 PID 2528 wrote to memory of 2496 2528 Hiekid32.exe 33 PID 2528 wrote to memory of 2496 2528 Hiekid32.exe 33 PID 2496 wrote to memory of 2940 2496 Hnagjbdf.exe 34 PID 2496 wrote to memory of 2940 2496 Hnagjbdf.exe 34 PID 2496 wrote to memory of 2940 2496 Hnagjbdf.exe 34 PID 2496 wrote to memory of 2940 2496 Hnagjbdf.exe 34 PID 2940 wrote to memory of 1296 2940 Hpocfncj.exe 35 PID 2940 wrote to memory of 1296 2940 Hpocfncj.exe 35 PID 2940 wrote to memory of 1296 2940 Hpocfncj.exe 35 PID 2940 wrote to memory of 1296 2940 Hpocfncj.exe 35 PID 1296 wrote to memory of 2820 1296 Hcnpbi32.exe 36 PID 1296 wrote to memory of 2820 1296 Hcnpbi32.exe 36 PID 1296 wrote to memory of 2820 1296 Hcnpbi32.exe 36 PID 1296 wrote to memory of 2820 1296 Hcnpbi32.exe 36 PID 2820 wrote to memory of 1236 2820 Hellne32.exe 37 PID 2820 wrote to memory of 1236 2820 Hellne32.exe 37 PID 2820 wrote to memory of 1236 2820 Hellne32.exe 37 PID 2820 wrote to memory of 1236 2820 Hellne32.exe 37 PID 1236 wrote to memory of 1028 1236 Hhjhkq32.exe 38 PID 1236 wrote to memory of 1028 1236 Hhjhkq32.exe 38 PID 1236 wrote to memory of 1028 1236 Hhjhkq32.exe 38 PID 1236 wrote to memory of 1028 1236 Hhjhkq32.exe 38 PID 1028 wrote to memory of 1924 1028 Hpapln32.exe 39 PID 1028 wrote to memory of 1924 1028 Hpapln32.exe 39 PID 1028 wrote to memory of 1924 1028 Hpapln32.exe 39 PID 1028 wrote to memory of 1924 1028 Hpapln32.exe 39 PID 1924 wrote to memory of 348 1924 Hcplhi32.exe 40 PID 1924 wrote to memory of 348 1924 Hcplhi32.exe 40 PID 1924 wrote to memory of 348 1924 Hcplhi32.exe 40 PID 1924 wrote to memory of 348 1924 Hcplhi32.exe 40 PID 348 wrote to memory of 588 348 Henidd32.exe 41 PID 348 wrote to memory of 588 348 Henidd32.exe 41 PID 348 wrote to memory of 588 348 Henidd32.exe 41 PID 348 wrote to memory of 588 348 Henidd32.exe 41 PID 588 wrote to memory of 856 588 Hhmepp32.exe 42 PID 588 wrote to memory of 856 588 Hhmepp32.exe 42 PID 588 wrote to memory of 856 588 Hhmepp32.exe 42 PID 588 wrote to memory of 856 588 Hhmepp32.exe 42 PID 856 wrote to memory of 2316 856 Hkkalk32.exe 43 PID 856 wrote to memory of 2316 856 Hkkalk32.exe 43 PID 856 wrote to memory of 2316 856 Hkkalk32.exe 43 PID 856 wrote to memory of 2316 856 Hkkalk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\425c876bc39e2ecd1bbe1cd2755ea333aa0579287b66c79fd22a9b2f1f3f6c6b_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe35⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe36⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe37⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe39⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe40⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe41⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe42⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe43⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe44⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe45⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe46⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe47⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe48⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe49⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe50⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe52⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe53⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe54⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe55⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe56⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe57⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe58⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe59⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe60⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe62⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe63⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe64⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe65⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe67⤵PID:1040
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3028 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe69⤵PID:1348
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe70⤵PID:1760
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe72⤵PID:2876
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe73⤵PID:1636
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe74⤵PID:1808
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe75⤵PID:1584
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe76⤵PID:1508
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe77⤵PID:780
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe78⤵PID:1132
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe79⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe80⤵PID:656
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe81⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe82⤵PID:1912
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe83⤵PID:1568
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe84⤵PID:2480
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe85⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe86⤵PID:1932
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe87⤵PID:2412
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe88⤵PID:564
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe89⤵PID:2292
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe90⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe91⤵PID:1984
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe92⤵PID:2688
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe93⤵PID:268
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe94⤵PID:1528
-
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe95⤵PID:1748
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe96⤵PID:476
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe97⤵PID:2280
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe98⤵PID:408
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe99⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe100⤵PID:2664
-
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe101⤵PID:340
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe102⤵PID:2532
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe103⤵PID:1668
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe104⤵PID:1680
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe105⤵PID:572
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe106⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe107⤵PID:2000
-
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe108⤵PID:1060
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe109⤵PID:1400
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe110⤵PID:1792
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe111⤵PID:1576
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe112⤵PID:3024
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe113⤵PID:2952
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe114⤵PID:2452
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe116⤵PID:632
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe117⤵PID:2220
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe118⤵PID:2564
-
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe119⤵PID:2748
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe120⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe121⤵PID:788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-