Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 09:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe
-
Size
320KB
-
MD5
279b84716846f5128997f36e3e7f08d0
-
SHA1
5ed2f5b0798f6e6c4e91cc04c2ecb765cd8020b3
-
SHA256
9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1
-
SHA512
dcd9b5925b4f2aa9f5a5f37e7d4636764bdb613ab9711b79de14c995a52945a75cd6bc8df5ddd83df42e3e2c89de0c98bc7b4340cd2952b34123f1f19b2c7707
-
SSDEEP
6144:rYO//XNLg4OKQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwp:d/T/+zrWAI5KFum/+zrWAIAqe
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giieco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojcecjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joifam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mencccop.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Fphafl32.exe 2664 Gpknlk32.exe 2660 Gegfdb32.exe 2576 Gopkmhjk.exe 2464 Gldkfl32.exe 2024 Gelppaof.exe 2300 Gkihhhnm.exe 1860 Gdamqndn.exe 2316 Gmjaic32.exe 2388 Hgbebiao.exe 1548 Hiqbndpb.exe 1032 Hicodd32.exe 1276 Hckcmjep.exe 2804 Hlcgeo32.exe 1956 Hellne32.exe 640 Hodpgjha.exe 1640 Hjjddchg.exe 2132 Ieqeidnl.exe 1928 Idceea32.exe 1308 Iknnbklc.exe 2224 Inljnfkg.exe 1556 Ifcbodli.exe 1488 Ihankokm.exe 828 Iajcde32.exe 1272 Idhopq32.exe 2168 Iggkllpe.exe 1540 Iblpjdpk.exe 2540 Idklfpon.exe 2676 Ikddbj32.exe 2448 Incpoe32.exe 2548 Icpigm32.exe 1368 Jjjacf32.exe 3024 Jqdipqbp.exe 2004 Jfqahgpg.exe 1544 Jiondcpk.exe 1944 Joifam32.exe 1664 Jfcnngnd.exe 1728 Jmmfkafa.exe 692 Jokcgmee.exe 948 Jkbcln32.exe 1280 Jnqphi32.exe 2616 Jfghif32.exe 2768 Jnclnihj.exe 1144 Kemejc32.exe 1468 Kjjmbj32.exe 860 Kneicieh.exe 928 Kcbakpdo.exe 1756 Kkijmm32.exe 2788 Kngfih32.exe 2020 Kafbec32.exe 3000 Keanebkb.exe 2028 Kfbkmk32.exe 1532 Kmmcjehm.exe 2636 Kahojc32.exe 2552 Kgbggnhc.exe 3048 Kjqccigf.exe 2424 Kiccofna.exe 2212 Kpmlkp32.exe 1476 Kblhgk32.exe 1856 Kfgdhjmk.exe 1668 Lldlqakb.exe 1920 Lpphap32.exe 268 Lbnemk32.exe 1372 Lemaif32.exe -
Loads dropped DLL 64 IoCs
pid Process 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 3004 Fphafl32.exe 3004 Fphafl32.exe 2664 Gpknlk32.exe 2664 Gpknlk32.exe 2660 Gegfdb32.exe 2660 Gegfdb32.exe 2576 Gopkmhjk.exe 2576 Gopkmhjk.exe 2464 Gldkfl32.exe 2464 Gldkfl32.exe 2024 Gelppaof.exe 2024 Gelppaof.exe 2300 Gkihhhnm.exe 2300 Gkihhhnm.exe 1860 Gdamqndn.exe 1860 Gdamqndn.exe 2316 Gmjaic32.exe 2316 Gmjaic32.exe 2388 Hgbebiao.exe 2388 Hgbebiao.exe 1548 Hiqbndpb.exe 1548 Hiqbndpb.exe 1032 Hicodd32.exe 1032 Hicodd32.exe 1276 Hckcmjep.exe 1276 Hckcmjep.exe 2804 Hlcgeo32.exe 2804 Hlcgeo32.exe 1956 Hellne32.exe 1956 Hellne32.exe 640 Hodpgjha.exe 640 Hodpgjha.exe 1640 Hjjddchg.exe 1640 Hjjddchg.exe 2132 Ieqeidnl.exe 2132 Ieqeidnl.exe 1928 Idceea32.exe 1928 Idceea32.exe 1308 Iknnbklc.exe 1308 Iknnbklc.exe 2224 Inljnfkg.exe 2224 Inljnfkg.exe 1556 Ifcbodli.exe 1556 Ifcbodli.exe 1488 Ihankokm.exe 1488 Ihankokm.exe 828 Iajcde32.exe 828 Iajcde32.exe 1272 Idhopq32.exe 1272 Idhopq32.exe 2168 Iggkllpe.exe 2168 Iggkllpe.exe 1540 Iblpjdpk.exe 1540 Iblpjdpk.exe 2540 Idklfpon.exe 2540 Idklfpon.exe 2676 Ikddbj32.exe 2676 Ikddbj32.exe 2448 Incpoe32.exe 2448 Incpoe32.exe 2548 Icpigm32.exe 2548 Icpigm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pcefke32.dll Lajhofao.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Kfpgmdog.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lpphap32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe File created C:\Windows\SysWOW64\Kahojc32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Ndmjedoi.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe File opened for modification C:\Windows\SysWOW64\Ipllekdl.exe Ilqpdm32.exe File created C:\Windows\SysWOW64\Ikddbj32.exe Idklfpon.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Jnkpbcjg.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Mencccop.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Npojdpef.exe File created C:\Windows\SysWOW64\Nhnijp32.dll Idhopq32.exe File created C:\Windows\SysWOW64\Bibkki32.dll Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cdlgpgef.exe File opened for modification C:\Windows\SysWOW64\Lpdbloof.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File opened for modification C:\Windows\SysWOW64\Ecejkf32.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Kjdilgpc.exe Kgemplap.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Idhopq32.exe File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe Leonofpp.exe File created C:\Windows\SysWOW64\Kkjcplpa.exe Kilfcpqm.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Iknnbklc.exe File created C:\Windows\SysWOW64\Jepgqikf.dll Iajcde32.exe File opened for modification C:\Windows\SysWOW64\Kneicieh.exe Kjjmbj32.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Pqhpdhcc.exe Pnjdhmdo.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Ioaifhid.exe Ikfmfi32.exe File created C:\Windows\SysWOW64\Jhngjmlo.exe Jdbkjn32.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Gelppaof.exe File created C:\Windows\SysWOW64\Cfnlkbne.dll Lahkigca.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Lafndg32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Bioqclil.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Gmbdnn32.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Lpekon32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hckcmjep.exe File created C:\Windows\SysWOW64\Kcbakpdo.exe Kneicieh.exe File created C:\Windows\SysWOW64\Lpjdjmfp.exe Liplnc32.exe File opened for modification C:\Windows\SysWOW64\Gifhnpea.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hgjefg32.exe File created C:\Windows\SysWOW64\Mlfojn32.exe Melfncqb.exe File created C:\Windows\SysWOW64\Ofjfhk32.exe Oclilp32.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Bhndldcn.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Lhefhd32.dll Fmbhok32.exe File created C:\Windows\SysWOW64\Lccdel32.exe Laegiq32.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File created C:\Windows\SysWOW64\Egjpkffe.exe Edkcojga.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Enhacojl.exe File created C:\Windows\SysWOW64\Bmeelpbm.dll Jdbkjn32.exe File opened for modification C:\Windows\SysWOW64\Kfpgmdog.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Cgmgbeon.dll Mholen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4312 4180 WerFault.exe 442 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdbkjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbiqfied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnijp32.dll" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Nehmdhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhofjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hhgdkjol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cjdfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhde32.dll" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmgninie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcefke32.dll" Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lccdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obcccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhpiojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhckpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll" Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmfll32.dll" Ldfgebbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppoqeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfbkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fncdgcqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcmap32.dll" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3004 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 28 PID 2252 wrote to memory of 3004 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 28 PID 2252 wrote to memory of 3004 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 28 PID 2252 wrote to memory of 3004 2252 9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe 28 PID 3004 wrote to memory of 2664 3004 Fphafl32.exe 29 PID 3004 wrote to memory of 2664 3004 Fphafl32.exe 29 PID 3004 wrote to memory of 2664 3004 Fphafl32.exe 29 PID 3004 wrote to memory of 2664 3004 Fphafl32.exe 29 PID 2664 wrote to memory of 2660 2664 Gpknlk32.exe 30 PID 2664 wrote to memory of 2660 2664 Gpknlk32.exe 30 PID 2664 wrote to memory of 2660 2664 Gpknlk32.exe 30 PID 2664 wrote to memory of 2660 2664 Gpknlk32.exe 30 PID 2660 wrote to memory of 2576 2660 Gegfdb32.exe 31 PID 2660 wrote to memory of 2576 2660 Gegfdb32.exe 31 PID 2660 wrote to memory of 2576 2660 Gegfdb32.exe 31 PID 2660 wrote to memory of 2576 2660 Gegfdb32.exe 31 PID 2576 wrote to memory of 2464 2576 Gopkmhjk.exe 32 PID 2576 wrote to memory of 2464 2576 Gopkmhjk.exe 32 PID 2576 wrote to memory of 2464 2576 Gopkmhjk.exe 32 PID 2576 wrote to memory of 2464 2576 Gopkmhjk.exe 32 PID 2464 wrote to memory of 2024 2464 Gldkfl32.exe 33 PID 2464 wrote to memory of 2024 2464 Gldkfl32.exe 33 PID 2464 wrote to memory of 2024 2464 Gldkfl32.exe 33 PID 2464 wrote to memory of 2024 2464 Gldkfl32.exe 33 PID 2024 wrote to memory of 2300 2024 Gelppaof.exe 34 PID 2024 wrote to memory of 2300 2024 Gelppaof.exe 34 PID 2024 wrote to memory of 2300 2024 Gelppaof.exe 34 PID 2024 wrote to memory of 2300 2024 Gelppaof.exe 34 PID 2300 wrote to memory of 1860 2300 Gkihhhnm.exe 35 PID 2300 wrote to memory of 1860 2300 Gkihhhnm.exe 35 PID 2300 wrote to memory of 1860 2300 Gkihhhnm.exe 35 PID 2300 wrote to memory of 1860 2300 Gkihhhnm.exe 35 PID 1860 wrote to memory of 2316 1860 Gdamqndn.exe 36 PID 1860 wrote to memory of 2316 1860 Gdamqndn.exe 36 PID 1860 wrote to memory of 2316 1860 Gdamqndn.exe 36 PID 1860 wrote to memory of 2316 1860 Gdamqndn.exe 36 PID 2316 wrote to memory of 2388 2316 Gmjaic32.exe 37 PID 2316 wrote to memory of 2388 2316 Gmjaic32.exe 37 PID 2316 wrote to memory of 2388 2316 Gmjaic32.exe 37 PID 2316 wrote to memory of 2388 2316 Gmjaic32.exe 37 PID 2388 wrote to memory of 1548 2388 Hgbebiao.exe 38 PID 2388 wrote to memory of 1548 2388 Hgbebiao.exe 38 PID 2388 wrote to memory of 1548 2388 Hgbebiao.exe 38 PID 2388 wrote to memory of 1548 2388 Hgbebiao.exe 38 PID 1548 wrote to memory of 1032 1548 Hiqbndpb.exe 39 PID 1548 wrote to memory of 1032 1548 Hiqbndpb.exe 39 PID 1548 wrote to memory of 1032 1548 Hiqbndpb.exe 39 PID 1548 wrote to memory of 1032 1548 Hiqbndpb.exe 39 PID 1032 wrote to memory of 1276 1032 Hicodd32.exe 40 PID 1032 wrote to memory of 1276 1032 Hicodd32.exe 40 PID 1032 wrote to memory of 1276 1032 Hicodd32.exe 40 PID 1032 wrote to memory of 1276 1032 Hicodd32.exe 40 PID 1276 wrote to memory of 2804 1276 Hckcmjep.exe 41 PID 1276 wrote to memory of 2804 1276 Hckcmjep.exe 41 PID 1276 wrote to memory of 2804 1276 Hckcmjep.exe 41 PID 1276 wrote to memory of 2804 1276 Hckcmjep.exe 41 PID 2804 wrote to memory of 1956 2804 Hlcgeo32.exe 42 PID 2804 wrote to memory of 1956 2804 Hlcgeo32.exe 42 PID 2804 wrote to memory of 1956 2804 Hlcgeo32.exe 42 PID 2804 wrote to memory of 1956 2804 Hlcgeo32.exe 42 PID 1956 wrote to memory of 640 1956 Hellne32.exe 43 PID 1956 wrote to memory of 640 1956 Hellne32.exe 43 PID 1956 wrote to memory of 640 1956 Hellne32.exe 43 PID 1956 wrote to memory of 640 1956 Hellne32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9b2f8ae54eeb57faa83bec28bdc625d5b66518d2043696f4f4ca53dbe0eb7bd1_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:640 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe33⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe34⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe39⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe41⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe42⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe43⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe44⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe48⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe49⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe50⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe51⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe52⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe55⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe57⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe58⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe60⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe61⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe62⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe64⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe66⤵PID:1284
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe67⤵PID:2776
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe69⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe70⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe71⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe72⤵PID:2236
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe73⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe74⤵PID:1512
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe76⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe78⤵PID:2828
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe79⤵PID:320
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe81⤵PID:1688
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe82⤵PID:2208
-
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe84⤵PID:2392
-
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe85⤵PID:448
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe86⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe87⤵PID:1056
-
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe88⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe89⤵PID:2012
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe90⤵PID:2108
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe91⤵PID:2564
-
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe93⤵PID:2864
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe94⤵PID:1916
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe95⤵PID:1616
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe96⤵PID:1604
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe97⤵PID:1900
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe98⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe100⤵PID:2708
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe101⤵PID:1636
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe102⤵PID:1552
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe103⤵PID:2740
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe104⤵PID:2272
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe105⤵PID:2000
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe106⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe107⤵PID:2528
-
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe109⤵PID:2308
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe110⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe111⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe112⤵PID:308
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe113⤵PID:1052
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe115⤵PID:1992
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe116⤵PID:1800
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe117⤵PID:1908
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe118⤵PID:2748
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe119⤵PID:2568
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe120⤵PID:2440
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe121⤵PID:1464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-