Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 23:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe
-
Size
237KB
-
MD5
3227fc0a8ef6d94a8b62ef73779c8d10
-
SHA1
5b51c009129f288d014041f74811ab87eb1f46eb
-
SHA256
1a625db83fb3aa591fd2c515775115740b7d7611d3a35ff12a7d964210fb2469
-
SHA512
a4db2bc18e81912119cd9d007431d0162412c0997b1d0749a490c08f20852c3e4fa08535accc205a48b4815ad54da5e36c4df0ac909659009c6a5ad43d817d8f
-
SSDEEP
3072:F8oBljPAUbj8Nq75Sq4iqnAUUjE02ZoL9snKKq:F8yljPXj8U5ihYjEToZY8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gooqfkan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdfefkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niiaae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdchakoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepbabjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alelkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibeoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqbneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbnmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiomnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhjhlqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adbkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolfmcbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habeni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqhdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbcignbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goadfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjoknhbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjlolpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boohcpgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncaklhdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljoboloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmoglij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgdkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeailhme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qihoak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnanioad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfodmdni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacfjfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcdih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjcfgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facjlhil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppafpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabjkdcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggpfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnjna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjgdjoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midoph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjmcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocdba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgccijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdonq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2152 Amlogfel.exe 2888 Bhhiemoj.exe 2228 Bdagpnbk.exe 3872 Boldhf32.exe 3284 Cgifbhid.exe 1696 Cpdgqmnb.exe 1056 Cdbpgl32.exe 844 Dakikoom.exe 3096 Dkhgod32.exe 820 Egcaod32.exe 3752 Fndpmndl.exe 1116 Gpmomo32.exe 2524 Glfmgp32.exe 3380 Hnibokbd.exe 384 Hbnaeh32.exe 1388 Ilkoim32.exe 884 Jhgiim32.exe 4620 Jbojlfdp.exe 1532 Kibeoo32.exe 4760 Kpnjah32.exe 1328 Kekbjo32.exe 3332 Khlklj32.exe 3328 Lljdai32.exe 3132 Lafmjp32.exe 4304 Lhcali32.exe 1740 Lckboblp.exe 3248 Mjggal32.exe 1764 Mhldbh32.exe 4900 Mpeiie32.exe 3528 Mhanngbl.exe 2696 Mqjbddpl.exe 2548 Nmfmde32.exe 1624 Niojoeel.exe 2680 Oophlo32.exe 4120 Pqbala32.exe 2180 Pmhbqbae.exe 2788 Pjaleemj.exe 2208 Pjcikejg.exe 3172 Qppaclio.exe 2272 Qapnmopa.exe 3416 Qikbaaml.exe 2532 Abhqefpg.exe 2216 Abjmkf32.exe 4944 Ajdbac32.exe 948 Calfpk32.exe 1632 Dgdncplk.exe 1796 Dnngpj32.exe 1284 Djgdkk32.exe 4236 Fkemfl32.exe 3756 Fcpakn32.exe 3824 Gqbneq32.exe 764 Haidfpki.exe 2948 Ielfgmnj.exe 2656 Inidkb32.exe 4308 Jhkljfok.exe 4184 Jogqlpde.exe 3548 Kdpiqehp.exe 1064 Lahbei32.exe 1460 Mdnebc32.exe 4896 Mcoepkdo.exe 2744 Mdpagc32.exe 4936 Moefdljc.exe 232 Mhnjna32.exe 3264 Mohbjkgp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Feggihah.dll Dmfecgim.exe File opened for modification C:\Windows\SysWOW64\Elhfbp32.exe Edlann32.exe File created C:\Windows\SysWOW64\Fjlpbb32.exe Fcbgfhii.exe File created C:\Windows\SysWOW64\Cnmoglij.exe Cgbfka32.exe File created C:\Windows\SysWOW64\Jhkljfok.exe Inidkb32.exe File created C:\Windows\SysWOW64\Cjokai32.dll Pcbdcf32.exe File created C:\Windows\SysWOW64\Ehofhdli.exe Eeailhme.exe File created C:\Windows\SysWOW64\Oophlo32.exe Niojoeel.exe File created C:\Windows\SysWOW64\Enlqdc32.exe Dmmdjp32.exe File created C:\Windows\SysWOW64\Dkhgod32.exe Dakikoom.exe File opened for modification C:\Windows\SysWOW64\Gqbneq32.exe Fcpakn32.exe File created C:\Windows\SysWOW64\Fhdocc32.exe Fhbbmc32.exe File opened for modification C:\Windows\SysWOW64\Emlgedge.exe Eepbabjj.exe File created C:\Windows\SysWOW64\Fllfihmi.dll Jmopmalc.exe File opened for modification C:\Windows\SysWOW64\Mmebpbod.exe Mhhjhlqm.exe File created C:\Windows\SysWOW64\Bqpbboeg.exe Bnaffdfc.exe File created C:\Windows\SysWOW64\Pclafhka.dll Gcgndf32.exe File created C:\Windows\SysWOW64\Oimdbnip.exe Obcled32.exe File opened for modification C:\Windows\SysWOW64\Bknidbhi.exe Addahh32.exe File opened for modification C:\Windows\SysWOW64\Oljoen32.exe Ncaklhdi.exe File opened for modification C:\Windows\SysWOW64\Ogqmee32.exe Odbpij32.exe File opened for modification C:\Windows\SysWOW64\Cfjnhe32.exe Cldjkl32.exe File created C:\Windows\SysWOW64\Cabgompp.dll Nldjnk32.exe File created C:\Windows\SysWOW64\Khkbcopl.exe Kobnji32.exe File opened for modification C:\Windows\SysWOW64\Jokpcmmj.exe Ifckkhfi.exe File opened for modification C:\Windows\SysWOW64\Jkhpogij.exe Jjgcgo32.exe File created C:\Windows\SysWOW64\Lbmqmi32.exe Llqhdb32.exe File opened for modification C:\Windows\SysWOW64\Akjgdjoj.exe Aqdbfa32.exe File opened for modification C:\Windows\SysWOW64\Mlbllc32.exe Midoph32.exe File created C:\Windows\SysWOW64\Bdfnmhnj.exe Bnlfqngm.exe File opened for modification C:\Windows\SysWOW64\Jnalem32.exe Jkcpia32.exe File created C:\Windows\SysWOW64\Kdpiqehp.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Epqblnhh.dll Jogqlpde.exe File opened for modification C:\Windows\SysWOW64\Naaghoik.exe Nkgoke32.exe File created C:\Windows\SysWOW64\Bqdlmo32.exe Bdnkhn32.exe File created C:\Windows\SysWOW64\Kiomnk32.exe Kbedaand.exe File opened for modification C:\Windows\SysWOW64\Ndnnianm.exe Ndlacapp.exe File created C:\Windows\SysWOW64\Kmjigl32.dll Fpandm32.exe File created C:\Windows\SysWOW64\Heckkb32.dll Npognfpo.exe File created C:\Windows\SysWOW64\Cgbfka32.exe Cqinng32.exe File created C:\Windows\SysWOW64\Neclpamg.exe Nnidcg32.exe File created C:\Windows\SysWOW64\Pfmdgq32.exe Plgpjhnf.exe File created C:\Windows\SysWOW64\Dqomdppm.exe Cggikk32.exe File created C:\Windows\SysWOW64\Cfedmfqd.exe Cpklql32.exe File created C:\Windows\SysWOW64\Pgbkgmao.exe Pphckb32.exe File opened for modification C:\Windows\SysWOW64\Facjlhil.exe Femigg32.exe File opened for modification C:\Windows\SysWOW64\Jdiglgbg.exe Jnoopm32.exe File opened for modification C:\Windows\SysWOW64\Obnbjdfi.exe Nldjnk32.exe File created C:\Windows\SysWOW64\Odibfg32.dll Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Kallod32.exe Kjbdbjbi.exe File opened for modification C:\Windows\SysWOW64\Bjmpfdhb.exe Bilcol32.exe File opened for modification C:\Windows\SysWOW64\Nheqnpjk.exe Nchhfild.exe File created C:\Windows\SysWOW64\Cjbnqa32.dll Pacfjfej.exe File created C:\Windows\SysWOW64\Gonilenb.exe Gdheol32.exe File created C:\Windows\SysWOW64\Nlaakbkm.dll Pjahchpb.exe File opened for modification C:\Windows\SysWOW64\Neclpamg.exe Nnidcg32.exe File created C:\Windows\SysWOW64\Bicbje32.dll Libido32.exe File created C:\Windows\SysWOW64\Kbedaand.exe Kofheeoq.exe File created C:\Windows\SysWOW64\Pfbfjk32.exe Pohnnqgo.exe File created C:\Windows\SysWOW64\Mddlghdh.dll Bqahmhpi.exe File created C:\Windows\SysWOW64\Ldqfddml.exe Lnfngj32.exe File opened for modification C:\Windows\SysWOW64\Nlmdml32.exe Neclpamg.exe File created C:\Windows\SysWOW64\Amlogfel.exe 3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Oqlbphhk.dll Mdnebc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10720 1824 Process not Found 1155 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqellmb.dll" Abbiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjiokeo.dll" Fhdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcnekdp.dll" Mminfech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckiipa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ampojimo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glhgojef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmidpjmc.dll" Gmnmbbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmnibme.dll" Mddkbbfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbmdabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phiekaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqlmkp32.dll" Bhbahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjkmqni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpfnqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmceobnb.dll" Iibaeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admkgifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hddejjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnipj32.dll" Jekpljgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llqhdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmoglij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffphhmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noqofdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhpge32.dll" Okqbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nifele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geqlhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggmnmmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifffoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjjgdba.dll" Jfokff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjmdkgg.dll" Dioiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djlkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll" Jogqlpde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljedg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmhbplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pmhbqbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbeqaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll" Cboibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpiedch.dll" Hpqlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqbmqdi.dll" Pohnnqgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobbadje.dll" Abdoqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbjpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcbb32.dll" Llqhdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odqbdnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknnda32.dll" Dcnqkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omkmhlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odibfg32.dll" Pqbala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geceqfal.dll" Hfamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjbdbjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcfnqccd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Pjaleemj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4752 wrote to memory of 2152 4752 3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe 90 PID 4752 wrote to memory of 2152 4752 3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe 90 PID 4752 wrote to memory of 2152 4752 3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe 90 PID 2152 wrote to memory of 2888 2152 Amlogfel.exe 91 PID 2152 wrote to memory of 2888 2152 Amlogfel.exe 91 PID 2152 wrote to memory of 2888 2152 Amlogfel.exe 91 PID 2888 wrote to memory of 2228 2888 Bhhiemoj.exe 92 PID 2888 wrote to memory of 2228 2888 Bhhiemoj.exe 92 PID 2888 wrote to memory of 2228 2888 Bhhiemoj.exe 92 PID 2228 wrote to memory of 3872 2228 Bdagpnbk.exe 93 PID 2228 wrote to memory of 3872 2228 Bdagpnbk.exe 93 PID 2228 wrote to memory of 3872 2228 Bdagpnbk.exe 93 PID 3872 wrote to memory of 3284 3872 Boldhf32.exe 94 PID 3872 wrote to memory of 3284 3872 Boldhf32.exe 94 PID 3872 wrote to memory of 3284 3872 Boldhf32.exe 94 PID 3284 wrote to memory of 1696 3284 Cgifbhid.exe 95 PID 3284 wrote to memory of 1696 3284 Cgifbhid.exe 95 PID 3284 wrote to memory of 1696 3284 Cgifbhid.exe 95 PID 1696 wrote to memory of 1056 1696 Cpdgqmnb.exe 96 PID 1696 wrote to memory of 1056 1696 Cpdgqmnb.exe 96 PID 1696 wrote to memory of 1056 1696 Cpdgqmnb.exe 96 PID 1056 wrote to memory of 844 1056 Cdbpgl32.exe 97 PID 1056 wrote to memory of 844 1056 Cdbpgl32.exe 97 PID 1056 wrote to memory of 844 1056 Cdbpgl32.exe 97 PID 844 wrote to memory of 3096 844 Dakikoom.exe 98 PID 844 wrote to memory of 3096 844 Dakikoom.exe 98 PID 844 wrote to memory of 3096 844 Dakikoom.exe 98 PID 3096 wrote to memory of 820 3096 Dkhgod32.exe 99 PID 3096 wrote to memory of 820 3096 Dkhgod32.exe 99 PID 3096 wrote to memory of 820 3096 Dkhgod32.exe 99 PID 820 wrote to memory of 3752 820 Egcaod32.exe 100 PID 820 wrote to memory of 3752 820 Egcaod32.exe 100 PID 820 wrote to memory of 3752 820 Egcaod32.exe 100 PID 3752 wrote to memory of 1116 3752 Fndpmndl.exe 101 PID 3752 wrote to memory of 1116 3752 Fndpmndl.exe 101 PID 3752 wrote to memory of 1116 3752 Fndpmndl.exe 101 PID 1116 wrote to memory of 2524 1116 Gpmomo32.exe 102 PID 1116 wrote to memory of 2524 1116 Gpmomo32.exe 102 PID 1116 wrote to memory of 2524 1116 Gpmomo32.exe 102 PID 2524 wrote to memory of 3380 2524 Glfmgp32.exe 103 PID 2524 wrote to memory of 3380 2524 Glfmgp32.exe 103 PID 2524 wrote to memory of 3380 2524 Glfmgp32.exe 103 PID 3380 wrote to memory of 384 3380 Hnibokbd.exe 104 PID 3380 wrote to memory of 384 3380 Hnibokbd.exe 104 PID 3380 wrote to memory of 384 3380 Hnibokbd.exe 104 PID 384 wrote to memory of 1388 384 Hbnaeh32.exe 105 PID 384 wrote to memory of 1388 384 Hbnaeh32.exe 105 PID 384 wrote to memory of 1388 384 Hbnaeh32.exe 105 PID 1388 wrote to memory of 884 1388 Ilkoim32.exe 106 PID 1388 wrote to memory of 884 1388 Ilkoim32.exe 106 PID 1388 wrote to memory of 884 1388 Ilkoim32.exe 106 PID 884 wrote to memory of 4620 884 Jhgiim32.exe 107 PID 884 wrote to memory of 4620 884 Jhgiim32.exe 107 PID 884 wrote to memory of 4620 884 Jhgiim32.exe 107 PID 4620 wrote to memory of 1532 4620 Jbojlfdp.exe 108 PID 4620 wrote to memory of 1532 4620 Jbojlfdp.exe 108 PID 4620 wrote to memory of 1532 4620 Jbojlfdp.exe 108 PID 1532 wrote to memory of 4760 1532 Kibeoo32.exe 109 PID 1532 wrote to memory of 4760 1532 Kibeoo32.exe 109 PID 1532 wrote to memory of 4760 1532 Kibeoo32.exe 109 PID 4760 wrote to memory of 1328 4760 Kpnjah32.exe 110 PID 4760 wrote to memory of 1328 4760 Kpnjah32.exe 110 PID 4760 wrote to memory of 1328 4760 Kpnjah32.exe 110 PID 1328 wrote to memory of 3332 1328 Kekbjo32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3227fc0a8ef6d94a8b62ef73779c8d10_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Hbnaeh32.exeC:\Windows\system32\Hbnaeh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe23⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe24⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe25⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Lhcali32.exeC:\Windows\system32\Lhcali32.exe26⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Lckboblp.exeC:\Windows\system32\Lckboblp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe28⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Mhldbh32.exeC:\Windows\system32\Mhldbh32.exe29⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Mpeiie32.exeC:\Windows\system32\Mpeiie32.exe30⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe31⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe32⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe33⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe35⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe39⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe40⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe42⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe43⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe45⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe46⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe47⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe48⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe49⤵PID:2416
-
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe51⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe54⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe55⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe57⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4184 -
C:\Windows\SysWOW64\Kdpiqehp.exeC:\Windows\system32\Kdpiqehp.exe59⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Lahbei32.exeC:\Windows\system32\Lahbei32.exe60⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe62⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe63⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe64⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe67⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe68⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe69⤵PID:1464
-
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe70⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe71⤵PID:3956
-
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe73⤵PID:1444
-
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe74⤵PID:3400
-
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe75⤵PID:5148
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe76⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe77⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe78⤵PID:5280
-
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe79⤵PID:5328
-
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe80⤵PID:5368
-
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe81⤵PID:5412
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe83⤵PID:5496
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe84⤵PID:5540
-
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe85⤵PID:5584
-
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe86⤵PID:5628
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe87⤵PID:5688
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe88⤵PID:5740
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe90⤵
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe92⤵PID:5932
-
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe93⤵PID:5980
-
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe94⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe95⤵PID:6072
-
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe96⤵PID:6104
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe97⤵PID:636
-
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe98⤵PID:5188
-
C:\Windows\SysWOW64\Edlann32.exeC:\Windows\system32\Edlann32.exe99⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe100⤵PID:5352
-
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe101⤵PID:5448
-
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe102⤵PID:5472
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe103⤵PID:5580
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe104⤵PID:5348
-
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe105⤵PID:5656
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe107⤵PID:5864
-
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe108⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe109⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Fcddkggf.exeC:\Windows\system32\Fcddkggf.exe111⤵PID:4272
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe112⤵PID:5260
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe113⤵PID:5400
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe114⤵PID:1952
-
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe116⤵
- Modifies registry class
PID:4912 -
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe117⤵PID:5724
-
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe119⤵PID:6004
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe120⤵PID:6064
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe121⤵PID:5240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-