Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
-
Size
67KB
-
MD5
67702883dd22f735a34feb71a8f4d840
-
SHA1
bf8ef23bcef2e5cec76b9d3d6c7e6d7f5dfd0577
-
SHA256
7e7d31eb55d4cf579610888d2c43ac765e4854b4cfd453e14c785fe9391a585d
-
SHA512
411240e5d3e737b6a2490cd7a0720599a2c121155b7ac9c18e2b83f206bb4425f0300690ef61d46f4973f93dd0dae178ac9223255eb411afd5a0ad619fd6f913
-
SSDEEP
1536:C2jucwtXBP+fFqU2Es2vd8vK5Na1cgCe8uC:TucwtV+fFr2A0+NaugCe8uC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beeflhdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkojgao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndohaqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimkbaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkdcie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefioj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcmmeog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojanpej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahenokjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfhlejnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofaiokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdfnolo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippggbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcqpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnpqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe -
Executes dropped EXE 64 IoCs
pid Process 3108 Jaimbj32.exe 1016 Jbkjjblm.exe 1576 Jjbako32.exe 2524 Jmpngk32.exe 4932 Jaljgidl.exe 2384 Jigollag.exe 5612 Jpaghf32.exe 3904 Jkfkfohj.exe 1432 Kpccnefa.exe 5376 Kgmlkp32.exe 4688 Kilhgk32.exe 5180 Kdaldd32.exe 1484 Kkkdan32.exe 5940 Kmjqmi32.exe 4992 Kknafn32.exe 4004 Kpjjod32.exe 1852 Kcifkp32.exe 4048 Kibnhjgj.exe 1824 Kdhbec32.exe 5544 Kkbkamnl.exe 5416 Lmqgnhmp.exe 5296 Ldkojb32.exe 4072 Lgikfn32.exe 3512 Lkdggmlj.exe 660 Laopdgcg.exe 2600 Ldmlpbbj.exe 4056 Ldohebqh.exe 3496 Lkiqbl32.exe 2872 Ldaeka32.exe 5304 Lklnhlfb.exe 116 Lnjjdgee.exe 5156 Lcgblncm.exe 4856 Mnlfigcc.exe 1184 Mdfofakp.exe 4884 Mgekbljc.exe 452 Mnocof32.exe 6008 Mpmokb32.exe 5608 Mdiklqhm.exe 2136 Mkbchk32.exe 3492 Mnapdf32.exe 2436 Mdkhapfj.exe 2984 Mkepnjng.exe 5700 Mncmjfmk.exe 5160 Maohkd32.exe 5240 Mdmegp32.exe 1144 Mglack32.exe 3056 Mjjmog32.exe 5348 Maaepd32.exe 1740 Mpdelajl.exe 6120 Mgnnhk32.exe 3408 Njljefql.exe 6088 Nnhfee32.exe 2748 Ndbnboqb.exe 4776 Nklfoi32.exe 1196 Nnjbke32.exe 5340 Nqiogp32.exe 4984 Ncgkcl32.exe 5796 Nkncdifl.exe 6092 Nbhkac32.exe 5232 Ndghmo32.exe 1076 Ngedij32.exe 5020 Nkqpjidj.exe 2376 Nnolfdcn.exe 2472 Ndidbn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lgikfn32.exe Ldkojb32.exe File opened for modification C:\Windows\SysWOW64\Bkidenlg.exe Blfdia32.exe File created C:\Windows\SysWOW64\Lckiihok.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qfmmplad.exe Process not Found File created C:\Windows\SysWOW64\Gjhilj32.dll Gbbkaako.exe File created C:\Windows\SysWOW64\Kahobhgo.dll Oimkbaed.exe File opened for modification C:\Windows\SysWOW64\Aejfpjne.exe Abkjdnoa.exe File created C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Lbchba32.exe Llipehgk.exe File opened for modification C:\Windows\SysWOW64\Dfnbgc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qjbena32.exe Qchmagie.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pmannhhj.exe File opened for modification C:\Windows\SysWOW64\Hlambk32.exe Hgdejd32.exe File opened for modification C:\Windows\SysWOW64\Njpdnedf.exe Process not Found File created C:\Windows\SysWOW64\Olihhh32.dll Pjdilcla.exe File created C:\Windows\SysWOW64\Fcneih32.dll Gfpcgpae.exe File created C:\Windows\SysWOW64\Pdpmpdbd.exe Pqdqof32.exe File created C:\Windows\SysWOW64\Kmonnmjm.dll Foghnabl.exe File created C:\Windows\SysWOW64\Eelche32.dll Process not Found File created C:\Windows\SysWOW64\Ondljl32.exe Process not Found File created C:\Windows\SysWOW64\Allebf32.dll Lekehdgp.exe File opened for modification C:\Windows\SysWOW64\Jfpojead.exe Jilnqqbj.exe File opened for modification C:\Windows\SysWOW64\Qljjjqlc.exe Qjlnnemp.exe File created C:\Windows\SysWOW64\Ggnjnq32.dll Ejflhm32.exe File created C:\Windows\SysWOW64\Gmnala32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Process not Found File created C:\Windows\SysWOW64\Nnahhegq.dll Process not Found File created C:\Windows\SysWOW64\Ncbafoge.exe Process not Found File created C:\Windows\SysWOW64\Ogdimilg.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Hnbfbhoh.dll Amodep32.exe File created C:\Windows\SysWOW64\Gkdhjknm.exe Fhflnpoi.exe File opened for modification C:\Windows\SysWOW64\Mbenmk32.exe Mniallpq.exe File created C:\Windows\SysWOW64\Npakijcp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mbbagk32.exe Mngegmbc.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Ieakglmn.dll Hioiji32.exe File created C:\Windows\SysWOW64\Gidbch32.dll Ccchof32.exe File opened for modification C:\Windows\SysWOW64\Eidbij32.exe Efffmo32.exe File created C:\Windows\SysWOW64\Fipbdikp.exe Fgbfhmll.exe File created C:\Windows\SysWOW64\Fhdohp32.exe Fpmggb32.exe File created C:\Windows\SysWOW64\Nogiifoh.dll Lajagj32.exe File created C:\Windows\SysWOW64\Kmkdjo32.dll Process not Found File created C:\Windows\SysWOW64\Epbahkcp.dll Fkopnh32.exe File created C:\Windows\SysWOW64\Gdqgmmjb.exe Gbbkaako.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hiiggoaf.exe File opened for modification C:\Windows\SysWOW64\Fmkqpkla.exe Process not Found File created C:\Windows\SysWOW64\Lgmdfppj.dll Fajnfl32.exe File opened for modification C:\Windows\SysWOW64\Najceeoo.exe Nkqkhk32.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mkbchk32.exe File created C:\Windows\SysWOW64\Kldbpfio.dll Process not Found File created C:\Windows\SysWOW64\Fpimlfke.exe Process not Found File created C:\Windows\SysWOW64\Hcjnlmph.dll Process not Found File created C:\Windows\SysWOW64\Iipejo32.dll Cpeohh32.exe File created C:\Windows\SysWOW64\Ppmflc32.dll Iafonaao.exe File opened for modification C:\Windows\SysWOW64\Qeodhjmo.exe Process not Found File created C:\Windows\SysWOW64\Llqjbhdc.exe Process not Found File created C:\Windows\SysWOW64\Miaboe32.exe Meefofek.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kcapicdj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kfoafi32.exe Kpeiioac.exe File created C:\Windows\SysWOW64\Enfdlg32.dll Aggegh32.exe File created C:\Windows\SysWOW64\Icpkgc32.dll Hpcodihc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15780 1532 Process not Found 1681 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqpnombl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkaf32.dll" Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmpfbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll" Kibnhjgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjlnlii.dll" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll" Cbgbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmcdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogiifoh.dll" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnedaem.dll" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpildobq.dll" Ohkbbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlelal32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpppnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejgch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffobhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iflbnkbi.dll" Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcodk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpelohh.dll" Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll" Kdeoemeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eonehbjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcpem32.dll" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll" Lmqgnhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakdijo.dll" Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnifpf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhel32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaopfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpiopih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iickkbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiilpik.dll" Bppfmigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omnlgb32.dll" Feapkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefekh32.dll" Fhdohp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeemh32.dll" Edhjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehcdm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmacb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1124 wrote to memory of 3108 1124 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 83 PID 1124 wrote to memory of 3108 1124 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 83 PID 1124 wrote to memory of 3108 1124 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 83 PID 3108 wrote to memory of 1016 3108 Jaimbj32.exe 84 PID 3108 wrote to memory of 1016 3108 Jaimbj32.exe 84 PID 3108 wrote to memory of 1016 3108 Jaimbj32.exe 84 PID 1016 wrote to memory of 1576 1016 Jbkjjblm.exe 85 PID 1016 wrote to memory of 1576 1016 Jbkjjblm.exe 85 PID 1016 wrote to memory of 1576 1016 Jbkjjblm.exe 85 PID 1576 wrote to memory of 2524 1576 Jjbako32.exe 86 PID 1576 wrote to memory of 2524 1576 Jjbako32.exe 86 PID 1576 wrote to memory of 2524 1576 Jjbako32.exe 86 PID 2524 wrote to memory of 4932 2524 Jmpngk32.exe 87 PID 2524 wrote to memory of 4932 2524 Jmpngk32.exe 87 PID 2524 wrote to memory of 4932 2524 Jmpngk32.exe 87 PID 4932 wrote to memory of 2384 4932 Jaljgidl.exe 88 PID 4932 wrote to memory of 2384 4932 Jaljgidl.exe 88 PID 4932 wrote to memory of 2384 4932 Jaljgidl.exe 88 PID 2384 wrote to memory of 5612 2384 Jigollag.exe 90 PID 2384 wrote to memory of 5612 2384 Jigollag.exe 90 PID 2384 wrote to memory of 5612 2384 Jigollag.exe 90 PID 5612 wrote to memory of 3904 5612 Jpaghf32.exe 91 PID 5612 wrote to memory of 3904 5612 Jpaghf32.exe 91 PID 5612 wrote to memory of 3904 5612 Jpaghf32.exe 91 PID 3904 wrote to memory of 1432 3904 Jkfkfohj.exe 92 PID 3904 wrote to memory of 1432 3904 Jkfkfohj.exe 92 PID 3904 wrote to memory of 1432 3904 Jkfkfohj.exe 92 PID 1432 wrote to memory of 5376 1432 Kpccnefa.exe 93 PID 1432 wrote to memory of 5376 1432 Kpccnefa.exe 93 PID 1432 wrote to memory of 5376 1432 Kpccnefa.exe 93 PID 5376 wrote to memory of 4688 5376 Kgmlkp32.exe 94 PID 5376 wrote to memory of 4688 5376 Kgmlkp32.exe 94 PID 5376 wrote to memory of 4688 5376 Kgmlkp32.exe 94 PID 4688 wrote to memory of 5180 4688 Kilhgk32.exe 96 PID 4688 wrote to memory of 5180 4688 Kilhgk32.exe 96 PID 4688 wrote to memory of 5180 4688 Kilhgk32.exe 96 PID 5180 wrote to memory of 1484 5180 Kdaldd32.exe 97 PID 5180 wrote to memory of 1484 5180 Kdaldd32.exe 97 PID 5180 wrote to memory of 1484 5180 Kdaldd32.exe 97 PID 1484 wrote to memory of 5940 1484 Kkkdan32.exe 98 PID 1484 wrote to memory of 5940 1484 Kkkdan32.exe 98 PID 1484 wrote to memory of 5940 1484 Kkkdan32.exe 98 PID 5940 wrote to memory of 4992 5940 Kmjqmi32.exe 99 PID 5940 wrote to memory of 4992 5940 Kmjqmi32.exe 99 PID 5940 wrote to memory of 4992 5940 Kmjqmi32.exe 99 PID 4992 wrote to memory of 4004 4992 Kknafn32.exe 100 PID 4992 wrote to memory of 4004 4992 Kknafn32.exe 100 PID 4992 wrote to memory of 4004 4992 Kknafn32.exe 100 PID 4004 wrote to memory of 1852 4004 Kpjjod32.exe 101 PID 4004 wrote to memory of 1852 4004 Kpjjod32.exe 101 PID 4004 wrote to memory of 1852 4004 Kpjjod32.exe 101 PID 1852 wrote to memory of 4048 1852 Kcifkp32.exe 102 PID 1852 wrote to memory of 4048 1852 Kcifkp32.exe 102 PID 1852 wrote to memory of 4048 1852 Kcifkp32.exe 102 PID 4048 wrote to memory of 1824 4048 Kibnhjgj.exe 103 PID 4048 wrote to memory of 1824 4048 Kibnhjgj.exe 103 PID 4048 wrote to memory of 1824 4048 Kibnhjgj.exe 103 PID 1824 wrote to memory of 5544 1824 Kdhbec32.exe 104 PID 1824 wrote to memory of 5544 1824 Kdhbec32.exe 104 PID 1824 wrote to memory of 5544 1824 Kdhbec32.exe 104 PID 5544 wrote to memory of 5416 5544 Kkbkamnl.exe 105 PID 5544 wrote to memory of 5416 5544 Kkbkamnl.exe 105 PID 5544 wrote to memory of 5416 5544 Kkbkamnl.exe 105 PID 5416 wrote to memory of 5296 5416 Lmqgnhmp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5612 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5376 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5180 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5544 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5416 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe24⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe25⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe26⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe27⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe28⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe29⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe30⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe31⤵
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe32⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe33⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe34⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe35⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe36⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe37⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe38⤵
- Executes dropped EXE
PID:6008 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe39⤵
- Executes dropped EXE
PID:5608 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe41⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe42⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe43⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe44⤵
- Executes dropped EXE
PID:5700 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe45⤵
- Executes dropped EXE
PID:5160 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe46⤵
- Executes dropped EXE
PID:5240 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe47⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe48⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe49⤵
- Executes dropped EXE
PID:5348 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe50⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe51⤵
- Executes dropped EXE
PID:6120 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe52⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:6088 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe55⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe56⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe57⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe58⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe59⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe60⤵
- Executes dropped EXE
PID:6092 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe61⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe62⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe64⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe65⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe66⤵PID:3544
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe67⤵PID:5648
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe68⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe69⤵PID:2352
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe70⤵PID:1992
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe71⤵PID:392
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe72⤵PID:5904
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe73⤵PID:2720
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe74⤵PID:1120
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe75⤵PID:2972
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe76⤵PID:5936
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe77⤵PID:428
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe78⤵PID:5960
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe79⤵PID:5520
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe80⤵PID:2328
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe81⤵PID:4696
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe82⤵PID:3636
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe83⤵PID:4356
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe84⤵PID:3348
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe85⤵PID:3236
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe86⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe87⤵PID:4692
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe88⤵PID:4828
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe89⤵PID:4892
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe90⤵PID:1988
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe91⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe92⤵PID:1416
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe93⤵PID:1572
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:712 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe95⤵PID:3020
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe96⤵PID:2764
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe97⤵PID:5592
-
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe98⤵PID:4592
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe100⤵PID:3656
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe101⤵PID:4824
-
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe102⤵PID:3456
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe103⤵PID:4888
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe104⤵PID:5136
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe105⤵PID:5164
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe106⤵PID:2264
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe107⤵PID:5732
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe108⤵PID:6004
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe109⤵PID:3596
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe110⤵PID:4272
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe111⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe112⤵PID:4604
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe113⤵PID:4852
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe114⤵PID:5644
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe115⤵PID:5088
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe116⤵PID:616
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe117⤵PID:5004
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe118⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe119⤵PID:5292
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe120⤵PID:2664
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe121⤵PID:5652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-