Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 03:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe
-
Size
69KB
-
MD5
0b512c26655526a25e0d0ce6d3056c10
-
SHA1
40aea545eea9997d48a953d3fd550fc3b2ef308a
-
SHA256
5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f
-
SHA512
9f9bb00892fd3326507d39fccc00f19a40b1a6046da3a50fc62f78f69a5e809fbe06e32a841aa5c81ce3202c2396f3f6b5fa781d1825dce5ce41f850c88a3c26
-
SSDEEP
1536:l+wQhqVEKTZd45FFgHWwjZ4PoNein/GFZCeDAyY:HQhqVEKTk5FQWwjqoNFn/GFZC1yY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfciogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnigda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgigdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limmokib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmdbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnfkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keikqhhe.exe -
Executes dropped EXE 64 IoCs
pid Process 2736 Kinaqg32.exe 812 Kphimanc.exe 2568 Kedaeh32.exe 2612 Khcnad32.exe 2720 Kpjfba32.exe 2632 Kbhbom32.exe 2488 Kegnkh32.exe 3044 Khekgc32.exe 2636 Kjcgco32.exe 2328 Keikqhhe.exe 1824 Lhggmchi.exe 2644 Lkfciogm.exe 1420 Lmdpejfq.exe 2976 Lekhfgfc.exe 1752 Lkhpnnej.exe 2248 Lmgmjjdn.exe 564 Ldqegd32.exe 1660 Lgoacojo.exe 1992 Limmokib.exe 708 Ladeqhjd.exe 1960 Ldcamcih.exe 1684 Lganiohl.exe 1632 Lkmjin32.exe 2440 Lpjbad32.exe 2120 Lgdjnofi.exe 2968 Lmnbkinf.exe 1948 Lplogdmj.exe 2168 Meigpkka.exe 2664 Midcpj32.exe 2856 Moalhq32.exe 2760 Maphdl32.exe 2688 Mhjpaf32.exe 2580 Mlelaeqk.exe 1880 Mochnppo.exe 2432 Mdqafgnf.exe 1940 Mhlmgf32.exe 1624 Mlgigdoh.exe 2800 Mepnpj32.exe 1120 Mdcnlglc.exe 760 Mhnjle32.exe 1868 Magnek32.exe 2556 Mdejaf32.exe 876 Naikkk32.exe 2984 Ndgggf32.exe 1036 Ngfcca32.exe 2660 Njdpomfe.exe 616 Ndjdlffl.exe 2012 Nghphaeo.exe 1964 Nfkpdn32.exe 1608 Njgldmdc.exe 940 Nleiqhcg.exe 2668 Nqqdag32.exe 2564 Nocemcbj.exe 2620 Ncoamb32.exe 2708 Nfmmin32.exe 2956 Nhlifi32.exe 3000 Nlgefh32.exe 1928 Nqcagfim.exe 2508 Nofabc32.exe 2784 Ncancbha.exe 1764 Nfpjomgd.exe 2936 Nhnfkigh.exe 540 Nmjblg32.exe 1016 Nohnhc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 2736 Kinaqg32.exe 2736 Kinaqg32.exe 812 Kphimanc.exe 812 Kphimanc.exe 2568 Kedaeh32.exe 2568 Kedaeh32.exe 2612 Khcnad32.exe 2612 Khcnad32.exe 2720 Kpjfba32.exe 2720 Kpjfba32.exe 2632 Kbhbom32.exe 2632 Kbhbom32.exe 2488 Kegnkh32.exe 2488 Kegnkh32.exe 3044 Khekgc32.exe 3044 Khekgc32.exe 2636 Kjcgco32.exe 2636 Kjcgco32.exe 2328 Keikqhhe.exe 2328 Keikqhhe.exe 1824 Lhggmchi.exe 1824 Lhggmchi.exe 2644 Lkfciogm.exe 2644 Lkfciogm.exe 1420 Lmdpejfq.exe 1420 Lmdpejfq.exe 2976 Lekhfgfc.exe 2976 Lekhfgfc.exe 1752 Lkhpnnej.exe 1752 Lkhpnnej.exe 2248 Lmgmjjdn.exe 2248 Lmgmjjdn.exe 564 Ldqegd32.exe 564 Ldqegd32.exe 1660 Lgoacojo.exe 1660 Lgoacojo.exe 1992 Limmokib.exe 1992 Limmokib.exe 708 Ladeqhjd.exe 708 Ladeqhjd.exe 1960 Ldcamcih.exe 1960 Ldcamcih.exe 1684 Lganiohl.exe 1684 Lganiohl.exe 1632 Lkmjin32.exe 1632 Lkmjin32.exe 2440 Lpjbad32.exe 2440 Lpjbad32.exe 2120 Lgdjnofi.exe 2120 Lgdjnofi.exe 2968 Lmnbkinf.exe 2968 Lmnbkinf.exe 1948 Lplogdmj.exe 1948 Lplogdmj.exe 2168 Meigpkka.exe 2168 Meigpkka.exe 2664 Midcpj32.exe 2664 Midcpj32.exe 2856 Moalhq32.exe 2856 Moalhq32.exe 2760 Maphdl32.exe 2760 Maphdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Khcnad32.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Fenhecef.dll Hgilchkf.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Lkmjin32.exe Lganiohl.exe File created C:\Windows\SysWOW64\Oojknblb.exe Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dngoibmo.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hhmepp32.exe File created C:\Windows\SysWOW64\Ofpfnqjp.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Nfmmin32.exe Ncoamb32.exe File opened for modification C:\Windows\SysWOW64\Abbbnchb.exe Apcfahio.exe File opened for modification C:\Windows\SysWOW64\Globlmmj.exe Fmlapp32.exe File opened for modification C:\Windows\SysWOW64\Ldcamcih.exe Ladeqhjd.exe File created C:\Windows\SysWOW64\Mlelaeqk.exe Mhjpaf32.exe File created C:\Windows\SysWOW64\Omeope32.dll Clcflkic.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Coeidfmm.dll Lmgmjjdn.exe File opened for modification C:\Windows\SysWOW64\Mlgigdoh.exe Mhlmgf32.exe File opened for modification C:\Windows\SysWOW64\Ebpkce32.exe Epaogi32.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Adeplhib.exe File created C:\Windows\SysWOW64\Addnil32.dll Gfefiemq.exe File opened for modification C:\Windows\SysWOW64\Odegpj32.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Pndniaop.exe File created C:\Windows\SysWOW64\Jaqlckoi.dll Coklgg32.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Ekholjqg.exe File created C:\Windows\SysWOW64\Ldmndi32.dll Oiellh32.exe File created C:\Windows\SysWOW64\Lbjhdo32.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Pacebaej.dll Begeknan.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bhahlj32.exe File created C:\Windows\SysWOW64\Eilpeooq.exe Eeqdep32.exe File opened for modification C:\Windows\SysWOW64\Lkhpnnej.exe Lekhfgfc.exe File created C:\Windows\SysWOW64\Mdqafgnf.exe Mochnppo.exe File opened for modification C:\Windows\SysWOW64\Njgldmdc.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File created C:\Windows\SysWOW64\Bibckiab.dll Eajaoq32.exe File created C:\Windows\SysWOW64\Ffnphf32.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Ojjljknn.dll Kbhbom32.exe File created C:\Windows\SysWOW64\Bfmimf32.dll Mlgigdoh.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cngcjo32.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Dnoillim.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Oghlgdgk.exe Oiellh32.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Alenki32.exe File created C:\Windows\SysWOW64\Ffihah32.dll Ckffgg32.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Njqaac32.dll Eflgccbp.exe File created C:\Windows\SysWOW64\Qhegaocb.dll Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Piehkkcl.exe Peiljl32.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Plcdgfbo.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Khekgc32.exe Kegnkh32.exe File created C:\Windows\SysWOW64\Ohqbqhde.exe Odegpj32.exe File created C:\Windows\SysWOW64\Gdcbnc32.dll Ocajbekl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4204 4180 WerFault.exe 364 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkgk32.dll" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpnnmjg.dll" Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmqdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfkpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Plcdgfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haobqm32.dll" Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pelipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepnpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bingpmnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagmdc32.dll" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojimd32.dll" Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgnnib.dll" Mochnppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflmig32.dll" Khcnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2736 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 2736 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 2736 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 28 PID 1044 wrote to memory of 2736 1044 5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe 28 PID 2736 wrote to memory of 812 2736 Kinaqg32.exe 29 PID 2736 wrote to memory of 812 2736 Kinaqg32.exe 29 PID 2736 wrote to memory of 812 2736 Kinaqg32.exe 29 PID 2736 wrote to memory of 812 2736 Kinaqg32.exe 29 PID 812 wrote to memory of 2568 812 Kphimanc.exe 30 PID 812 wrote to memory of 2568 812 Kphimanc.exe 30 PID 812 wrote to memory of 2568 812 Kphimanc.exe 30 PID 812 wrote to memory of 2568 812 Kphimanc.exe 30 PID 2568 wrote to memory of 2612 2568 Kedaeh32.exe 31 PID 2568 wrote to memory of 2612 2568 Kedaeh32.exe 31 PID 2568 wrote to memory of 2612 2568 Kedaeh32.exe 31 PID 2568 wrote to memory of 2612 2568 Kedaeh32.exe 31 PID 2612 wrote to memory of 2720 2612 Khcnad32.exe 32 PID 2612 wrote to memory of 2720 2612 Khcnad32.exe 32 PID 2612 wrote to memory of 2720 2612 Khcnad32.exe 32 PID 2612 wrote to memory of 2720 2612 Khcnad32.exe 32 PID 2720 wrote to memory of 2632 2720 Kpjfba32.exe 33 PID 2720 wrote to memory of 2632 2720 Kpjfba32.exe 33 PID 2720 wrote to memory of 2632 2720 Kpjfba32.exe 33 PID 2720 wrote to memory of 2632 2720 Kpjfba32.exe 33 PID 2632 wrote to memory of 2488 2632 Kbhbom32.exe 34 PID 2632 wrote to memory of 2488 2632 Kbhbom32.exe 34 PID 2632 wrote to memory of 2488 2632 Kbhbom32.exe 34 PID 2632 wrote to memory of 2488 2632 Kbhbom32.exe 34 PID 2488 wrote to memory of 3044 2488 Kegnkh32.exe 35 PID 2488 wrote to memory of 3044 2488 Kegnkh32.exe 35 PID 2488 wrote to memory of 3044 2488 Kegnkh32.exe 35 PID 2488 wrote to memory of 3044 2488 Kegnkh32.exe 35 PID 3044 wrote to memory of 2636 3044 Khekgc32.exe 36 PID 3044 wrote to memory of 2636 3044 Khekgc32.exe 36 PID 3044 wrote to memory of 2636 3044 Khekgc32.exe 36 PID 3044 wrote to memory of 2636 3044 Khekgc32.exe 36 PID 2636 wrote to memory of 2328 2636 Kjcgco32.exe 37 PID 2636 wrote to memory of 2328 2636 Kjcgco32.exe 37 PID 2636 wrote to memory of 2328 2636 Kjcgco32.exe 37 PID 2636 wrote to memory of 2328 2636 Kjcgco32.exe 37 PID 2328 wrote to memory of 1824 2328 Keikqhhe.exe 38 PID 2328 wrote to memory of 1824 2328 Keikqhhe.exe 38 PID 2328 wrote to memory of 1824 2328 Keikqhhe.exe 38 PID 2328 wrote to memory of 1824 2328 Keikqhhe.exe 38 PID 1824 wrote to memory of 2644 1824 Lhggmchi.exe 39 PID 1824 wrote to memory of 2644 1824 Lhggmchi.exe 39 PID 1824 wrote to memory of 2644 1824 Lhggmchi.exe 39 PID 1824 wrote to memory of 2644 1824 Lhggmchi.exe 39 PID 2644 wrote to memory of 1420 2644 Lkfciogm.exe 40 PID 2644 wrote to memory of 1420 2644 Lkfciogm.exe 40 PID 2644 wrote to memory of 1420 2644 Lkfciogm.exe 40 PID 2644 wrote to memory of 1420 2644 Lkfciogm.exe 40 PID 1420 wrote to memory of 2976 1420 Lmdpejfq.exe 41 PID 1420 wrote to memory of 2976 1420 Lmdpejfq.exe 41 PID 1420 wrote to memory of 2976 1420 Lmdpejfq.exe 41 PID 1420 wrote to memory of 2976 1420 Lmdpejfq.exe 41 PID 2976 wrote to memory of 1752 2976 Lekhfgfc.exe 42 PID 2976 wrote to memory of 1752 2976 Lekhfgfc.exe 42 PID 2976 wrote to memory of 1752 2976 Lekhfgfc.exe 42 PID 2976 wrote to memory of 1752 2976 Lekhfgfc.exe 42 PID 1752 wrote to memory of 2248 1752 Lkhpnnej.exe 43 PID 1752 wrote to memory of 2248 1752 Lkhpnnej.exe 43 PID 1752 wrote to memory of 2248 1752 Lkhpnnej.exe 43 PID 1752 wrote to memory of 2248 1752 Lkhpnnej.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c15f88a34a6e21f30b72b6603563fab8f7f945004d05a246fa32e02fb28644f_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe36⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe42⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe43⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe44⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe45⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe46⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe47⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe48⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe51⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe52⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe54⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe58⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe59⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe60⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe62⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe64⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe66⤵PID:1432
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe67⤵PID:1728
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe68⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe70⤵PID:2196
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe71⤵PID:2824
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe72⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe73⤵PID:2572
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe74⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe76⤵PID:2832
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe77⤵PID:1912
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe79⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe80⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe81⤵PID:660
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe82⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe83⤵PID:412
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe84⤵PID:2436
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe85⤵PID:308
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe86⤵PID:3056
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe88⤵PID:2696
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe89⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe90⤵PID:2516
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe91⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe92⤵PID:2008
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe93⤵PID:1112
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe94⤵PID:1692
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe95⤵
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe96⤵PID:1232
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe97⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe98⤵PID:692
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe103⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe107⤵PID:2988
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe108⤵PID:2388
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe109⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe110⤵PID:1352
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe111⤵PID:1260
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe112⤵PID:1612
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe113⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe114⤵PID:2744
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe115⤵PID:2396
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe117⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe118⤵PID:1716
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe119⤵PID:1500
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe120⤵PID:1828
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-