Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 18:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
-
Size
352KB
-
MD5
1328c3a6ca0f6692015500c36a1f92d0
-
SHA1
be1d02d4aa8de3301a5690f1932acd103d2c9b00
-
SHA256
2021056e6493ab4691cb810e585b5d5673ef38f1ff3acb804711abb2079b6c83
-
SHA512
2bfd8075072aaffd131665d78024f11a174dd3ff921c8304550542bd6782b629f54441efe0792b8b4a7bad0489c28ef3db23c4727a8a2a7587b57f83aff53a2f
-
SSDEEP
6144:+zOT+wZEkq2z9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:kOHZEkQsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djalnkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnlaahl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcoioabf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onngci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhidaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkekdhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofooqinh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnbjdfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejegdngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejglcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpjdfpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbceoped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apobakpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbaabom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchihhng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphebml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogifci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdiobd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidbpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melfpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjaio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnlhod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjojkpdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffqjfom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deejpjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdajabdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laofhbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqbadf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagjndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nieggill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpikao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjhdobb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmhjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjaio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjeiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidgakk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelifc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpdodg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnmogae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfcmpdjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcldhfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdheqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdkmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbfiokn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkaahjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkdnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifdjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjbfjl.exe -
Executes dropped EXE 64 IoCs
pid Process 3244 Qelcamcj.exe 3000 Cifdjg32.exe 4152 Dmifkecb.exe 3532 Eiijfd32.exe 1700 Edcgnmml.exe 400 Fdmjdkda.exe 4188 Ggdigekj.exe 260 Hqfqfj32.exe 3664 Hgbfhc32.exe 1328 Hclccd32.exe 3432 Ifmldo32.exe 2204 Ijonfmbn.exe 2076 Jcoioabf.exe 4056 Kfkamk32.exe 4820 Lmnlpcel.exe 3064 Mmebpbod.exe 3268 Nkpijfgf.exe 3888 Ndkjik32.exe 3548 Oeopnmoa.exe 404 Agjhbbob.exe 4452 Adqeaf32.exe 2904 Bgkaip32.exe 4084 Beaohcmf.exe 4160 Clpppmqn.exe 2768 Cpmifkgd.exe 1388 Dojlhg32.exe 60 Dpkehi32.exe 3404 Doqbifpl.exe 1612 Eeodqocd.exe 2684 Efampahd.exe 4508 Elnehifk.exe 3572 Fcmgpbjc.exe 2264 Fgmllpng.exe 2568 Gebimmco.exe 3520 Gllajf32.exe 3164 Geipnl32.exe 4992 Hpaqqdjj.exe 4924 Hjnndime.exe 4316 Hphfac32.exe 5104 Hladlc32.exe 3604 Ihheqd32.exe 4628 Ioffhn32.exe 2980 Ioicnn32.exe 4236 Jgedjjki.exe 5072 Kmbfiokn.exe 1840 Nfaijand.exe 3876 Nfdfoala.exe 4336 Ngipjp32.exe 748 Nmedmj32.exe 3868 Ohkijc32.exe 3696 Onngci32.exe 3616 Oalpigkb.exe 2660 Phiekaql.exe 4680 Phkaqqoi.exe 4080 Pnhjig32.exe 820 Qdihfq32.exe 1304 Aqpika32.exe 2600 Bhennm32.exe 4040 Bqpbboeg.exe 1508 Ckafkfkp.exe 412 Cnboma32.exe 4268 Dabhomea.exe 1836 Dlmegd32.exe 1804 Deejpjgc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ggdigekj.exe Fdmjdkda.exe File created C:\Windows\SysWOW64\Jdhcdlco.dll Ddkpoelb.exe File created C:\Windows\SysWOW64\Obnbjdfi.exe Nldjnk32.exe File created C:\Windows\SysWOW64\Cnndbecl.exe Cgbppknb.exe File created C:\Windows\SysWOW64\Gffkpa32.exe Gplbcgbg.exe File created C:\Windows\SysWOW64\Eiopdhnf.dll Adqeaf32.exe File created C:\Windows\SysWOW64\Nkloef32.dll Icedkn32.exe File created C:\Windows\SysWOW64\Igmjbjkl.dll Incpdodg.exe File opened for modification C:\Windows\SysWOW64\Nejbaqgo.exe Nnpjdfpb.exe File opened for modification C:\Windows\SysWOW64\Bedgejbo.exe Bllble32.exe File created C:\Windows\SysWOW64\Cgbppknb.exe Ccajdmin.exe File opened for modification C:\Windows\SysWOW64\Cadcfd32.exe Cpbgnlfo.exe File created C:\Windows\SysWOW64\Fqbfnnhd.dll Ngdmhimb.exe File created C:\Windows\SysWOW64\Aceomp32.dll Jgedjjki.exe File created C:\Windows\SysWOW64\Aekkkmac.dll Mmfaafej.exe File created C:\Windows\SysWOW64\Ajnmjp32.exe Adadbi32.exe File opened for modification C:\Windows\SysWOW64\Jdgjgh32.exe Jnmbjnlm.exe File opened for modification C:\Windows\SysWOW64\Ppdbfpaa.exe Pijiif32.exe File created C:\Windows\SysWOW64\Gihlge32.dll Gcagdj32.exe File created C:\Windows\SysWOW64\Eiijfd32.exe Dmifkecb.exe File created C:\Windows\SysWOW64\Fpopekeb.dll Eiijfd32.exe File opened for modification C:\Windows\SysWOW64\Ngipjp32.exe Nfdfoala.exe File created C:\Windows\SysWOW64\Mgidgakk.exe Mjednmla.exe File created C:\Windows\SysWOW64\Dphfhmme.dll Pgcpdn32.exe File opened for modification C:\Windows\SysWOW64\Pndoagfc.exe Peljha32.exe File opened for modification C:\Windows\SysWOW64\Caimachg.exe Cafpkc32.exe File opened for modification C:\Windows\SysWOW64\Idmhqi32.exe Incpdodg.exe File created C:\Windows\SysWOW64\Jlgjfqgj.dll Eeodqocd.exe File opened for modification C:\Windows\SysWOW64\Kfpqap32.exe Kfndlphp.exe File opened for modification C:\Windows\SysWOW64\Onjmjegg.exe Oeahap32.exe File opened for modification C:\Windows\SysWOW64\Lhdeinhb.exe Lajmmc32.exe File created C:\Windows\SysWOW64\Fbbjeame.dll Cafpkc32.exe File opened for modification C:\Windows\SysWOW64\Ligglo32.exe Lpocciba.exe File created C:\Windows\SysWOW64\Ocgfff32.dll Knmkak32.exe File opened for modification C:\Windows\SysWOW64\Dhkaif32.exe Dboiaoff.exe File created C:\Windows\SysWOW64\Pgnnkfll.dll Lpcedbjp.exe File opened for modification C:\Windows\SysWOW64\Kdbjbfjl.exe Koeajo32.exe File created C:\Windows\SysWOW64\Jibejb32.exe Jiphebml.exe File created C:\Windows\SysWOW64\Acjjpllp.exe Abimhd32.exe File opened for modification C:\Windows\SysWOW64\Eaoenjqa.exe Eehdii32.exe File created C:\Windows\SysWOW64\Pgjhha32.dll Llemnd32.exe File created C:\Windows\SysWOW64\Cifdjg32.exe Qelcamcj.exe File created C:\Windows\SysWOW64\Bilflj32.dll Deejpjgc.exe File created C:\Windows\SysWOW64\Eecmcl32.dll Qdfefkll.exe File opened for modification C:\Windows\SysWOW64\Opkfjgmh.exe Ofcaab32.exe File opened for modification C:\Windows\SysWOW64\Laacmbkm.exe Laofhbmp.exe File opened for modification C:\Windows\SysWOW64\Bniacddk.exe Ahmlaj32.exe File created C:\Windows\SysWOW64\Ilmeeglh.dll Fbihdhhf.exe File created C:\Windows\SysWOW64\Nocdpece.dll Ncfdbk32.exe File opened for modification C:\Windows\SysWOW64\Dmifkecb.exe Cifdjg32.exe File created C:\Windows\SysWOW64\Jghnge32.dll Melfpb32.exe File created C:\Windows\SysWOW64\Bicjgeip.dll Oecego32.exe File created C:\Windows\SysWOW64\Eobffk32.exe Ejennd32.exe File created C:\Windows\SysWOW64\Galonj32.exe Gffkpa32.exe File opened for modification C:\Windows\SysWOW64\Palkgi32.exe Oajoaj32.exe File created C:\Windows\SysWOW64\Icedkn32.exe Hpbajp32.exe File created C:\Windows\SysWOW64\Bjbphh32.dll Gbbkjgpl.exe File created C:\Windows\SysWOW64\Aocjbm32.dll Nnlhod32.exe File created C:\Windows\SysWOW64\Jgeihjcb.dll Oqakln32.exe File opened for modification C:\Windows\SysWOW64\Beaohcmf.exe Bgkaip32.exe File created C:\Windows\SysWOW64\Boepfh32.dll Qdihfq32.exe File opened for modification C:\Windows\SysWOW64\Lkkekdhe.exe Lmfhjhdm.exe File opened for modification C:\Windows\SysWOW64\Bqahmhpi.exe Ajnmjp32.exe File created C:\Windows\SysWOW64\Binlmd32.dll Fdegkdim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6548 3388 WerFault.exe 488 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onccdj32.dll" Dlmegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deejpjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accnco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnijh32.dll" Hihbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfjodkf.dll" Jefbomoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbomoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdiaha32.dll" Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phiekaql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofooqinh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldibcl32.dll" Lnanadfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akipao32.dll" Iiibdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donjdabe.dll" Maohdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaoenjqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimdklek.dll" Ihheqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnnkfll.dll" Lpcedbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipalpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkndokq.dll" Pghiomqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhkpk32.dll" Pcagjndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bniacddk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmifkgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfdfoala.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnlhod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opkfjgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajmmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fffqjfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcll32.dll" Cnboma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Falcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlhn32.dll" Aaoadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flnlaahl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcedbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcijq32.dll" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjkdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdghmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnfkgfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolkip32.dll" Gkmlilej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibeqgdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmdeink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddkpoelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpami32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmedmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchihhng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eanqpdgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnndbecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meepoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbekgknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Docckfai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giqlbqcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbkbkbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaifgon.dll" Ajnmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmcod32.dll" Ckafkfkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbbpmo32.dll" Eeomfioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhbmn32.dll" Mmlphfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmeilpn.dll" Pljcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befkma32.dll" Qbekgknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomaf32.dll" Ojjoedfn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 3244 5076 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 91 PID 5076 wrote to memory of 3244 5076 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 91 PID 5076 wrote to memory of 3244 5076 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 91 PID 3244 wrote to memory of 3000 3244 Qelcamcj.exe 93 PID 3244 wrote to memory of 3000 3244 Qelcamcj.exe 93 PID 3244 wrote to memory of 3000 3244 Qelcamcj.exe 93 PID 3000 wrote to memory of 4152 3000 Cifdjg32.exe 94 PID 3000 wrote to memory of 4152 3000 Cifdjg32.exe 94 PID 3000 wrote to memory of 4152 3000 Cifdjg32.exe 94 PID 4152 wrote to memory of 3532 4152 Dmifkecb.exe 95 PID 4152 wrote to memory of 3532 4152 Dmifkecb.exe 95 PID 4152 wrote to memory of 3532 4152 Dmifkecb.exe 95 PID 3532 wrote to memory of 1700 3532 Eiijfd32.exe 96 PID 3532 wrote to memory of 1700 3532 Eiijfd32.exe 96 PID 3532 wrote to memory of 1700 3532 Eiijfd32.exe 96 PID 1700 wrote to memory of 400 1700 Edcgnmml.exe 97 PID 1700 wrote to memory of 400 1700 Edcgnmml.exe 97 PID 1700 wrote to memory of 400 1700 Edcgnmml.exe 97 PID 400 wrote to memory of 4188 400 Fdmjdkda.exe 98 PID 400 wrote to memory of 4188 400 Fdmjdkda.exe 98 PID 400 wrote to memory of 4188 400 Fdmjdkda.exe 98 PID 4188 wrote to memory of 260 4188 Ggdigekj.exe 99 PID 4188 wrote to memory of 260 4188 Ggdigekj.exe 99 PID 4188 wrote to memory of 260 4188 Ggdigekj.exe 99 PID 260 wrote to memory of 3664 260 Hqfqfj32.exe 100 PID 260 wrote to memory of 3664 260 Hqfqfj32.exe 100 PID 260 wrote to memory of 3664 260 Hqfqfj32.exe 100 PID 3664 wrote to memory of 1328 3664 Hgbfhc32.exe 101 PID 3664 wrote to memory of 1328 3664 Hgbfhc32.exe 101 PID 3664 wrote to memory of 1328 3664 Hgbfhc32.exe 101 PID 1328 wrote to memory of 3432 1328 Hclccd32.exe 102 PID 1328 wrote to memory of 3432 1328 Hclccd32.exe 102 PID 1328 wrote to memory of 3432 1328 Hclccd32.exe 102 PID 3432 wrote to memory of 2204 3432 Ifmldo32.exe 103 PID 3432 wrote to memory of 2204 3432 Ifmldo32.exe 103 PID 3432 wrote to memory of 2204 3432 Ifmldo32.exe 103 PID 2204 wrote to memory of 2076 2204 Ijonfmbn.exe 104 PID 2204 wrote to memory of 2076 2204 Ijonfmbn.exe 104 PID 2204 wrote to memory of 2076 2204 Ijonfmbn.exe 104 PID 2076 wrote to memory of 4056 2076 Jcoioabf.exe 105 PID 2076 wrote to memory of 4056 2076 Jcoioabf.exe 105 PID 2076 wrote to memory of 4056 2076 Jcoioabf.exe 105 PID 4056 wrote to memory of 4820 4056 Kfkamk32.exe 106 PID 4056 wrote to memory of 4820 4056 Kfkamk32.exe 106 PID 4056 wrote to memory of 4820 4056 Kfkamk32.exe 106 PID 4820 wrote to memory of 3064 4820 Lmnlpcel.exe 107 PID 4820 wrote to memory of 3064 4820 Lmnlpcel.exe 107 PID 4820 wrote to memory of 3064 4820 Lmnlpcel.exe 107 PID 3064 wrote to memory of 3268 3064 Mmebpbod.exe 108 PID 3064 wrote to memory of 3268 3064 Mmebpbod.exe 108 PID 3064 wrote to memory of 3268 3064 Mmebpbod.exe 108 PID 3268 wrote to memory of 3888 3268 Nkpijfgf.exe 109 PID 3268 wrote to memory of 3888 3268 Nkpijfgf.exe 109 PID 3268 wrote to memory of 3888 3268 Nkpijfgf.exe 109 PID 3888 wrote to memory of 3548 3888 Ndkjik32.exe 110 PID 3888 wrote to memory of 3548 3888 Ndkjik32.exe 110 PID 3888 wrote to memory of 3548 3888 Ndkjik32.exe 110 PID 3548 wrote to memory of 404 3548 Oeopnmoa.exe 111 PID 3548 wrote to memory of 404 3548 Oeopnmoa.exe 111 PID 3548 wrote to memory of 404 3548 Oeopnmoa.exe 111 PID 404 wrote to memory of 4452 404 Agjhbbob.exe 112 PID 404 wrote to memory of 4452 404 Agjhbbob.exe 112 PID 404 wrote to memory of 4452 404 Agjhbbob.exe 112 PID 4452 wrote to memory of 2904 4452 Adqeaf32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Hclccd32.exeC:\Windows\system32\Hclccd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Ifmldo32.exeC:\Windows\system32\Ifmldo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Jcoioabf.exeC:\Windows\system32\Jcoioabf.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Lmnlpcel.exeC:\Windows\system32\Lmnlpcel.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Nkpijfgf.exeC:\Windows\system32\Nkpijfgf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe24⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe25⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe27⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Dpkehi32.exeC:\Windows\system32\Dpkehi32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Doqbifpl.exeC:\Windows\system32\Doqbifpl.exe29⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Eeodqocd.exeC:\Windows\system32\Eeodqocd.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe31⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe32⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Fcmgpbjc.exeC:\Windows\system32\Fcmgpbjc.exe33⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe34⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3520 -
C:\Windows\SysWOW64\Geipnl32.exeC:\Windows\system32\Geipnl32.exe37⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe38⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Hjnndime.exeC:\Windows\system32\Hjnndime.exe39⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Hphfac32.exeC:\Windows\system32\Hphfac32.exe40⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Hladlc32.exeC:\Windows\system32\Hladlc32.exe41⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Ioffhn32.exeC:\Windows\system32\Ioffhn32.exe43⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Ioicnn32.exeC:\Windows\system32\Ioicnn32.exe44⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jgedjjki.exeC:\Windows\system32\Jgedjjki.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Kmbfiokn.exeC:\Windows\system32\Kmbfiokn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe47⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe49⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe51⤵
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe53⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe56⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe58⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe59⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe60⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Cnboma32.exeC:\Windows\system32\Cnboma32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:412 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4268 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Dalkek32.exeC:\Windows\system32\Dalkek32.exe66⤵PID:3360
-
C:\Windows\SysWOW64\Eieplhlf.exeC:\Windows\system32\Eieplhlf.exe67⤵PID:3584
-
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4504 -
C:\Windows\SysWOW64\Eeomfioh.exeC:\Windows\system32\Eeomfioh.exe69⤵
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Engaon32.exeC:\Windows\system32\Engaon32.exe70⤵PID:1320
-
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe71⤵PID:3552
-
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe72⤵PID:5092
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe73⤵PID:3620
-
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe74⤵
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe75⤵PID:3880
-
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe76⤵PID:568
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe77⤵PID:2676
-
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe78⤵PID:1528
-
C:\Windows\SysWOW64\Gbjlgj32.exeC:\Windows\system32\Gbjlgj32.exe79⤵PID:4364
-
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe80⤵PID:4996
-
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe82⤵PID:4940
-
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe85⤵PID:5240
-
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe86⤵
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\Jbkbkbfo.exeC:\Windows\system32\Jbkbkbfo.exe87⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe88⤵PID:5376
-
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe89⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Kfpqap32.exeC:\Windows\system32\Kfpqap32.exe90⤵PID:5464
-
C:\Windows\SysWOW64\Koiejemn.exeC:\Windows\system32\Koiejemn.exe91⤵PID:5500
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe92⤵PID:5544
-
C:\Windows\SysWOW64\Kmobii32.exeC:\Windows\system32\Kmobii32.exe93⤵PID:5596
-
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe94⤵PID:5640
-
C:\Windows\SysWOW64\Lmcldhfp.exeC:\Windows\system32\Lmcldhfp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5680 -
C:\Windows\SysWOW64\Lbqdmodg.exeC:\Windows\system32\Lbqdmodg.exe96⤵PID:5724
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe97⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Lkkekdhe.exeC:\Windows\system32\Lkkekdhe.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe99⤵PID:5860
-
C:\Windows\SysWOW64\Mbjgcnll.exeC:\Windows\system32\Mbjgcnll.exe100⤵PID:5916
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe101⤵PID:5960
-
C:\Windows\SysWOW64\Mmfaafej.exeC:\Windows\system32\Mmfaafej.exe102⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe103⤵PID:6068
-
C:\Windows\SysWOW64\Ofooqinh.exeC:\Windows\system32\Ofooqinh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe105⤵PID:4060
-
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe106⤵PID:5184
-
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe108⤵PID:5316
-
C:\Windows\SysWOW64\Qdfefkll.exeC:\Windows\system32\Qdfefkll.exe109⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe110⤵PID:5488
-
C:\Windows\SysWOW64\Apobakpn.exeC:\Windows\system32\Apobakpn.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe112⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Bqahmhpi.exeC:\Windows\system32\Bqahmhpi.exe114⤵PID:5776
-
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe115⤵PID:5872
-
C:\Windows\SysWOW64\Cnahbk32.exeC:\Windows\system32\Cnahbk32.exe116⤵PID:5968
-
C:\Windows\SysWOW64\Ddkpoelb.exeC:\Windows\system32\Ddkpoelb.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Dqbadf32.exeC:\Windows\system32\Dqbadf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Djalnkbo.exeC:\Windows\system32\Djalnkbo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5224 -
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe121⤵PID:5540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-