Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 01:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe
-
Size
390KB
-
MD5
5210aa22d235c6d1e6f479cf4c2a08c0
-
SHA1
18c1131643dd3d85e5971eff9542c4f97b1dd177
-
SHA256
6f00e5ff92c02e854697f425018410e93ee39f505bd0306faed3803af03bf073
-
SHA512
6d413595fd7fb3fce1afc71c9eb5ed6c615b2ce8792b580a306f8c6fa835bda3415e460541da50d91d51fb470c80ddb8b2cb3a42f7950a45791517ab282d119a
-
SSDEEP
6144:VGdX66b+X0RjtdgOPAUvgkNRgdgOPAUvgkG:VGoUngEiM2gEif
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkpheidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhecmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhddjfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhnkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmijq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekacmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahenokjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnhnaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjfnedho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geohklaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpllo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imoneg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedeph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhfjljd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohhpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpmoiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcobaedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibojncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjgebf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpmbc32.exe -
Executes dropped EXE 64 IoCs
pid Process 3024 Ibojncfj.exe 3852 Ijfboafl.exe 1348 Ifmcdblq.exe 552 Iabgaklg.exe 2620 Ibccic32.exe 1832 Ijkljp32.exe 1792 Imihfl32.exe 1576 Jpgdbg32.exe 4656 Jbfpobpb.exe 4776 Jfaloa32.exe 1336 Jjmhppqd.exe 4240 Jiphkm32.exe 3748 Jagqlj32.exe 2584 Jpjqhgol.exe 972 Jdemhe32.exe 2044 Jbhmdbnp.exe 844 Jjpeepnb.exe 2280 Jibeql32.exe 3124 Jmnaakne.exe 2976 Jaimbj32.exe 824 Jdhine32.exe 4556 Jbkjjblm.exe 1056 Jjbako32.exe 2684 Jidbflcj.exe 2864 Jmpngk32.exe 1772 Jaljgidl.exe 5088 Jbmfoa32.exe 5092 Jfhbppbc.exe 2964 Jkdnpo32.exe 3348 Jigollag.exe 1424 Jmbklj32.exe 4940 Jpaghf32.exe 1508 Jdmcidam.exe 1172 Jbocea32.exe 1884 Jfkoeppq.exe 1700 Jkfkfohj.exe 3204 Jiikak32.exe 4580 Kmegbjgn.exe 1376 Kpccnefa.exe 1060 Kdopod32.exe 1092 Kbapjafe.exe 3336 Kkihknfg.exe 2140 Kilhgk32.exe 3508 Kmgdgjek.exe 2004 Kpepcedo.exe 4660 Kbdmpqcb.exe 2292 Kkkdan32.exe 2768 Kinemkko.exe 4604 Kmjqmi32.exe 3236 Kphmie32.exe 828 Kdcijcke.exe 4784 Kbfiep32.exe 4456 Kgbefoji.exe 1848 Kknafn32.exe 1256 Kmlnbi32.exe 1540 Kagichjo.exe 4460 Kpjjod32.exe 1552 Kdffocib.exe 3064 Kgdbkohf.exe 4628 Kibnhjgj.exe 4016 Kmnjhioc.exe 2336 Kpmfddnf.exe 116 Kdhbec32.exe 4396 Kckbqpnj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Phincl32.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Process not Found File created C:\Windows\SysWOW64\Pellipfm.dll Lmccchkn.exe File created C:\Windows\SysWOW64\Qdldlm32.dll Pkhoae32.exe File created C:\Windows\SysWOW64\Dhpjkojk.exe Dafbne32.exe File opened for modification C:\Windows\SysWOW64\Edpnfo32.exe Eemnjbaj.exe File created C:\Windows\SysWOW64\Mejpje32.exe Mjellmbp.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Eoideh32.exe File opened for modification C:\Windows\SysWOW64\Kageaj32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Ddplkbaa.dll Jdmgfedl.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Process not Found File created C:\Windows\SysWOW64\Eadopc32.exe Eofbch32.exe File created C:\Windows\SysWOW64\Hckjacjg.exe Hiefcj32.exe File created C:\Windows\SysWOW64\Kgngca32.dll Qfcfml32.exe File created C:\Windows\SysWOW64\Ggnedlao.exe Gdoihpbk.exe File created C:\Windows\SysWOW64\Nbbond32.dll Mjneln32.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Nlfndjhh.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Dapnbcqo.dll Phdnngdn.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Bkjiao32.exe File opened for modification C:\Windows\SysWOW64\Ocgmpccl.exe Onjegled.exe File created C:\Windows\SysWOW64\Jpmgll32.dll Ikndgg32.exe File created C:\Windows\SysWOW64\Koodbl32.exe Process not Found File created C:\Windows\SysWOW64\Hpomcp32.exe Hjedffig.exe File created C:\Windows\SysWOW64\Ohkkhhmh.exe Oobfob32.exe File opened for modification C:\Windows\SysWOW64\Odgqdlnj.exe Ojalgcnd.exe File created C:\Windows\SysWOW64\Becnaq32.dll Hnhghcki.exe File opened for modification C:\Windows\SysWOW64\Kmgdgjek.exe Kilhgk32.exe File opened for modification C:\Windows\SysWOW64\Feocelll.exe Eemgplno.exe File created C:\Windows\SysWOW64\Majjng32.exe Miofjepg.exe File created C:\Windows\SysWOW64\Dmokdgeg.dll Process not Found File created C:\Windows\SysWOW64\Bccbakce.dll Fdepgkgj.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Klljnp32.exe Kebbafoj.exe File created C:\Windows\SysWOW64\Qiginoqd.dll Amaqjp32.exe File opened for modification C:\Windows\SysWOW64\Hdpbon32.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Bmkjkd32.exe Aepefb32.exe File opened for modification C:\Windows\SysWOW64\Ggcfja32.exe Gkleeplq.exe File opened for modification C:\Windows\SysWOW64\Kbghfc32.exe Kiodmn32.exe File created C:\Windows\SysWOW64\Ccicgnco.dll Epagkd32.exe File created C:\Windows\SysWOW64\Igigla32.exe Ilccoh32.exe File created C:\Windows\SysWOW64\Nmgjia32.exe Ngjbaj32.exe File created C:\Windows\SysWOW64\Njljefql.exe Nkjjij32.exe File opened for modification C:\Windows\SysWOW64\Pqnaim32.exe Pgemphmn.exe File created C:\Windows\SysWOW64\Kplcdidf.dll Eaklidoi.exe File created C:\Windows\SysWOW64\Bogcgj32.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Dflmlj32.exe Dlghoa32.exe File created C:\Windows\SysWOW64\Gaigbkko.dll Fdglmkeg.exe File created C:\Windows\SysWOW64\Gphgbafl.exe Gklnjj32.exe File opened for modification C:\Windows\SysWOW64\Pakllc32.exe Pkadoiip.exe File opened for modification C:\Windows\SysWOW64\Pjhbgb32.exe Pqpnombl.exe File opened for modification C:\Windows\SysWOW64\Eiaoid32.exe Ebhglj32.exe File opened for modification C:\Windows\SysWOW64\Gpqjglii.exe Gigaka32.exe File created C:\Windows\SysWOW64\Pkgcea32.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Cioilg32.exe Ccbadp32.exe File created C:\Windows\SysWOW64\Pbmmao32.dll Gmiclo32.exe File created C:\Windows\SysWOW64\Gicinj32.exe Gfembo32.exe File created C:\Windows\SysWOW64\Fddanicf.dll Ggcfja32.exe File opened for modification C:\Windows\SysWOW64\Kefdbo32.exe Kbghfc32.exe File opened for modification C:\Windows\SysWOW64\Mejpje32.exe Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Ohkkhhmh.exe Oobfob32.exe File created C:\Windows\SysWOW64\Cecbmf32.exe Cbefaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11716 11540 Process not Found 1291 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddplkbaa.dll" Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll" Pjhbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feocelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll" Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmqopc32.dll" Edmjfifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqgocidj.dll" Ejpfhnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkoiefmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll" Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocqqdjh.dll" Daaicfgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glienb32.dll" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmlkhofd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbhamajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkqdpn32.dll" Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomci32.dll" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhnoefl.dll" Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilmjcon.dll" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foghnabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdilnojp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidbflcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljbfpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mejpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfkmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaegbjb.dll" Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgokg32.dll" Maeachag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apedgj32.dll" Bbdhiojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aafemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlqomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icgcab32.dll" Biogppeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpjfnfg.dll" Gphgbafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeojn32.dll" Igigla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnapdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Himldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngdmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmpje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgldidg.dll" Nnmopdep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnalj32.dll" Jfnbdecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmliok32.dll" Dpnbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miofjepg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3024 5052 5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe 83 PID 5052 wrote to memory of 3024 5052 5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe 83 PID 5052 wrote to memory of 3024 5052 5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe 83 PID 3024 wrote to memory of 3852 3024 Ibojncfj.exe 84 PID 3024 wrote to memory of 3852 3024 Ibojncfj.exe 84 PID 3024 wrote to memory of 3852 3024 Ibojncfj.exe 84 PID 3852 wrote to memory of 1348 3852 Ijfboafl.exe 86 PID 3852 wrote to memory of 1348 3852 Ijfboafl.exe 86 PID 3852 wrote to memory of 1348 3852 Ijfboafl.exe 86 PID 1348 wrote to memory of 552 1348 Ifmcdblq.exe 88 PID 1348 wrote to memory of 552 1348 Ifmcdblq.exe 88 PID 1348 wrote to memory of 552 1348 Ifmcdblq.exe 88 PID 552 wrote to memory of 2620 552 Iabgaklg.exe 89 PID 552 wrote to memory of 2620 552 Iabgaklg.exe 89 PID 552 wrote to memory of 2620 552 Iabgaklg.exe 89 PID 2620 wrote to memory of 1832 2620 Ibccic32.exe 90 PID 2620 wrote to memory of 1832 2620 Ibccic32.exe 90 PID 2620 wrote to memory of 1832 2620 Ibccic32.exe 90 PID 1832 wrote to memory of 1792 1832 Ijkljp32.exe 91 PID 1832 wrote to memory of 1792 1832 Ijkljp32.exe 91 PID 1832 wrote to memory of 1792 1832 Ijkljp32.exe 91 PID 1792 wrote to memory of 1576 1792 Imihfl32.exe 92 PID 1792 wrote to memory of 1576 1792 Imihfl32.exe 92 PID 1792 wrote to memory of 1576 1792 Imihfl32.exe 92 PID 1576 wrote to memory of 4656 1576 Jpgdbg32.exe 93 PID 1576 wrote to memory of 4656 1576 Jpgdbg32.exe 93 PID 1576 wrote to memory of 4656 1576 Jpgdbg32.exe 93 PID 4656 wrote to memory of 4776 4656 Jbfpobpb.exe 94 PID 4656 wrote to memory of 4776 4656 Jbfpobpb.exe 94 PID 4656 wrote to memory of 4776 4656 Jbfpobpb.exe 94 PID 4776 wrote to memory of 1336 4776 Jfaloa32.exe 95 PID 4776 wrote to memory of 1336 4776 Jfaloa32.exe 95 PID 4776 wrote to memory of 1336 4776 Jfaloa32.exe 95 PID 1336 wrote to memory of 4240 1336 Jjmhppqd.exe 96 PID 1336 wrote to memory of 4240 1336 Jjmhppqd.exe 96 PID 1336 wrote to memory of 4240 1336 Jjmhppqd.exe 96 PID 4240 wrote to memory of 3748 4240 Jiphkm32.exe 97 PID 4240 wrote to memory of 3748 4240 Jiphkm32.exe 97 PID 4240 wrote to memory of 3748 4240 Jiphkm32.exe 97 PID 3748 wrote to memory of 2584 3748 Jagqlj32.exe 98 PID 3748 wrote to memory of 2584 3748 Jagqlj32.exe 98 PID 3748 wrote to memory of 2584 3748 Jagqlj32.exe 98 PID 2584 wrote to memory of 972 2584 Jpjqhgol.exe 99 PID 2584 wrote to memory of 972 2584 Jpjqhgol.exe 99 PID 2584 wrote to memory of 972 2584 Jpjqhgol.exe 99 PID 972 wrote to memory of 2044 972 Jdemhe32.exe 100 PID 972 wrote to memory of 2044 972 Jdemhe32.exe 100 PID 972 wrote to memory of 2044 972 Jdemhe32.exe 100 PID 2044 wrote to memory of 844 2044 Jbhmdbnp.exe 101 PID 2044 wrote to memory of 844 2044 Jbhmdbnp.exe 101 PID 2044 wrote to memory of 844 2044 Jbhmdbnp.exe 101 PID 844 wrote to memory of 2280 844 Jjpeepnb.exe 102 PID 844 wrote to memory of 2280 844 Jjpeepnb.exe 102 PID 844 wrote to memory of 2280 844 Jjpeepnb.exe 102 PID 2280 wrote to memory of 3124 2280 Jibeql32.exe 103 PID 2280 wrote to memory of 3124 2280 Jibeql32.exe 103 PID 2280 wrote to memory of 3124 2280 Jibeql32.exe 103 PID 3124 wrote to memory of 2976 3124 Jmnaakne.exe 104 PID 3124 wrote to memory of 2976 3124 Jmnaakne.exe 104 PID 3124 wrote to memory of 2976 3124 Jmnaakne.exe 104 PID 2976 wrote to memory of 824 2976 Jaimbj32.exe 105 PID 2976 wrote to memory of 824 2976 Jaimbj32.exe 105 PID 2976 wrote to memory of 824 2976 Jaimbj32.exe 105 PID 824 wrote to memory of 4556 824 Jdhine32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5210aa22d235c6d1e6f479cf4c2a08c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe23⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe24⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe26⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe27⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe29⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe30⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe31⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe32⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe33⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe34⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe35⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe36⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe38⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe39⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe40⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe41⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe42⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe43⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe45⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe46⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe47⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe48⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe49⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe50⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe51⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe52⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe53⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe54⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe55⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe56⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe57⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe58⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe59⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe61⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe62⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe64⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe65⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe66⤵PID:2736
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe67⤵PID:1856
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe68⤵PID:1364
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe69⤵PID:4620
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe70⤵PID:4864
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe71⤵PID:5016
-
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe72⤵PID:4248
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe73⤵PID:4984
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe74⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe75⤵PID:2448
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe76⤵PID:3988
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:508 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe78⤵PID:1924
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe79⤵PID:1556
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe80⤵PID:3764
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe81⤵PID:4512
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe82⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe83⤵PID:3216
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe84⤵PID:4980
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe85⤵PID:920
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe86⤵PID:2212
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe87⤵PID:2168
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe89⤵PID:2568
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe90⤵PID:3068
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe91⤵PID:2608
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe92⤵PID:2328
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe93⤵PID:1584
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe94⤵PID:4624
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe95⤵PID:3168
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe96⤵PID:1668
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe97⤵PID:5140
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe98⤵PID:5176
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe99⤵
- Drops file in System32 directory
PID:5212 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe101⤵PID:5284
-
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe102⤵PID:5340
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe103⤵PID:5376
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe104⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe105⤵PID:5448
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe106⤵PID:5484
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe107⤵PID:5556
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe108⤵PID:5616
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe109⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe110⤵PID:5768
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe111⤵PID:5860
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe112⤵PID:5916
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe113⤵PID:5952
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe115⤵PID:6024
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe116⤵PID:6064
-
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe117⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe118⤵PID:5408
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe119⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe120⤵PID:5324
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe121⤵PID:5244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-