Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe
-
Size
64KB
-
MD5
6563c2a5af62e4f5366abd1a9fea4b50
-
SHA1
6d85701dd8d6baf64eb25ca2146fea07c353877b
-
SHA256
5babaa75c536dc59fad09b3cd0020dbec59280ce8408be35bfdce546b3177f28
-
SHA512
0fe4d67ae2c5df9890b23706cf9950f7f3d1857371fda6d4f3cd9cc9b5e4279a2f825e7ced15661576766aed864770e8b5c7791b4b871dd1f222b9d625a227e5
-
SSDEEP
768:yG7nyy7tMFsXtMQwvk27jhJdIZmGcs1e+QdctPu3ABDLL2Pl2SKkK7qMqf/1H5NS:yG7yAMFIe1JdGphLZBDLDGvlPnly5VP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcggio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmgblok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblcnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoangbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfefkkqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdlffhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faenpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalipoiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdbnmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjehmfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diccgfpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe -
Executes dropped EXE 64 IoCs
pid Process 4876 Jmpngk32.exe 1464 Jbmfoa32.exe 3556 Jigollag.exe 3832 Jdmcidam.exe 1012 Jkfkfohj.exe 2836 Kpccnefa.exe 4680 Kbapjafe.exe 1056 Kilhgk32.exe 4268 Kpepcedo.exe 2180 Kkkdan32.exe 3924 Kaemnhla.exe 2740 Kdcijcke.exe 4976 Kknafn32.exe 2640 Kagichjo.exe 1664 Kcifkp32.exe 4176 Kkpnlm32.exe 1436 Kajfig32.exe 4884 Kckbqpnj.exe 3512 Lmqgnhmp.exe 4628 Lcmofolg.exe 2624 Lkdggmlj.exe 2732 Lmccchkn.exe 5072 Ldmlpbbj.exe 2912 Lkgdml32.exe 4312 Lnepih32.exe 3984 Lcbiao32.exe 4700 Lilanioo.exe 3328 Lcdegnep.exe 3660 Ljnnch32.exe 2880 Lgbnmm32.exe 1052 Lknjmkdo.exe 3440 Mpkbebbf.exe 1168 Mnocof32.exe 2900 Mdiklqhm.exe 2412 Mgghhlhq.exe 4128 Mamleegg.exe 3384 Mcnhmm32.exe 4756 Mjhqjg32.exe 856 Mpaifalo.exe 4188 Mcpebmkb.exe 4576 Mkgmcjld.exe 2480 Mnfipekh.exe 3696 Mpdelajl.exe 384 Mcbahlip.exe 4304 Njljefql.exe 4796 Nqfbaq32.exe 4988 Nceonl32.exe 432 Nklfoi32.exe 3396 Njogjfoj.exe 4868 Nafokcol.exe 2128 Nddkgonp.exe 4544 Njacpf32.exe 1688 Nbhkac32.exe 5104 Ndghmo32.exe 4024 Njcpee32.exe 996 Nnolfdcn.exe 4644 Nqmhbpba.exe 2824 Nggqoj32.exe 452 Njfmke32.exe 1800 Nbmelbid.exe 1828 Ncnadk32.exe 1528 Ojhiqefo.exe 4052 Oqbamo32.exe 904 Ojjffddl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Loacdc32.exe Process not Found File created C:\Windows\SysWOW64\Clnjjpod.exe Chbnia32.exe File created C:\Windows\SysWOW64\Knkekn32.exe Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dcnqpo32.exe File created C:\Windows\SysWOW64\Hfgefhai.dll Hkfoeega.exe File created C:\Windows\SysWOW64\Eohipl32.dll Njqmepik.exe File opened for modification C:\Windows\SysWOW64\Lejgch32.exe Lbkkgl32.exe File opened for modification C:\Windows\SysWOW64\Kfpcoefj.exe Process not Found File created C:\Windows\SysWOW64\Paadbk32.dll Ffgqqaip.exe File created C:\Windows\SysWOW64\Jocgnlha.dll Process not Found File created C:\Windows\SysWOW64\Hpnoncim.exe Process not Found File created C:\Windows\SysWOW64\Folnlh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kcoccc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kpccnefa.exe Jkfkfohj.exe File created C:\Windows\SysWOW64\Ockcknah.dll Mnocof32.exe File created C:\Windows\SysWOW64\Kopapk32.dll Gphgbafl.exe File opened for modification C:\Windows\SysWOW64\Dqnjgl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dkifae32.exe File opened for modification C:\Windows\SysWOW64\Fdbdah32.exe Eachem32.exe File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe Process not Found File created C:\Windows\SysWOW64\Kahobhgo.dll Oeaoab32.exe File created C:\Windows\SysWOW64\Aglmllpq.dll Process not Found File created C:\Windows\SysWOW64\Jgefkimp.dll Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Fojedapj.exe Feapkk32.exe File created C:\Windows\SysWOW64\Ieneofbo.dll Ckfphc32.exe File created C:\Windows\SysWOW64\Gdliee32.dll Pkogiikb.exe File opened for modification C:\Windows\SysWOW64\Blhpqhlh.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Ipmbjgpi.exe Innfnl32.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mpdelajl.exe File opened for modification C:\Windows\SysWOW64\Ekcpbj32.exe Ehedfo32.exe File opened for modification C:\Windows\SysWOW64\Pomgjn32.exe Pjpobg32.exe File created C:\Windows\SysWOW64\Mlmgnn32.dll Bfbaonae.exe File created C:\Windows\SysWOW64\Ehpadhll.exe Process not Found File created C:\Windows\SysWOW64\Ciopbjik.dll Pmfhig32.exe File created C:\Windows\SysWOW64\Iddgpk32.dll Idahjg32.exe File created C:\Windows\SysWOW64\Pkegpb32.exe Process not Found File created C:\Windows\SysWOW64\Cpeohh32.exe Cjhfpa32.exe File created C:\Windows\SysWOW64\Nbefdijg.exe Nknobkje.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Process not Found File created C:\Windows\SysWOW64\Fbohan32.dll Bahmfj32.exe File created C:\Windows\SysWOW64\Pdfjifjo.exe Pqknig32.exe File created C:\Windows\SysWOW64\Qfbobf32.exe Qqffjo32.exe File opened for modification C:\Windows\SysWOW64\Jppnpjel.exe Process not Found File opened for modification C:\Windows\SysWOW64\Khiofk32.exe Process not Found File created C:\Windows\SysWOW64\Kicpplqn.dll Fpjjac32.exe File created C:\Windows\SysWOW64\Negcig32.dll Ahjgjj32.exe File opened for modification C:\Windows\SysWOW64\Mjnnbk32.exe Process not Found File created C:\Windows\SysWOW64\Gaaklfpn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Okjbpglo.exe Occkojkm.exe File created C:\Windows\SysWOW64\Ahqddk32.exe Qaflgago.exe File created C:\Windows\SysWOW64\Bcghka32.dll Fmkgkapm.exe File opened for modification C:\Windows\SysWOW64\Jmpgldhg.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Ndkqipob.dll Cndikf32.exe File opened for modification C:\Windows\SysWOW64\Eaakpm32.exe Eobocb32.exe File created C:\Windows\SysWOW64\Dccledea.dll Cbgnemjj.exe File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe Qmkadgpo.exe File created C:\Windows\SysWOW64\Mhghfqcd.dll Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Ikndgg32.exe Iddljmpc.exe File created C:\Windows\SysWOW64\Cbdjeg32.exe Process not Found File created C:\Windows\SysWOW64\Dmennnni.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hghoeqmp.exe Hdicienl.exe File created C:\Windows\SysWOW64\Mlelal32.dll Process not Found File created C:\Windows\SysWOW64\Ojmjcf32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3528 15440 Process not Found 1687 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmkhg32.dll" Okolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoiefmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnknc32.dll" Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcijdmpm.dll" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpclpq.dll" Jlobkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhdlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjehmfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgnbaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbfpack.dll" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkabjbih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fajnfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggcfja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmfmgnc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeekll32.dll" Edemkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfjgifo.dll" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqichhmn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgehcmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohokaph.dll" Qikgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ialjan32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogab32.dll" Dlgmpogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glojhi32.dll" Egnchd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" Mibpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmpiiai.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2724 wrote to memory of 4876 2724 6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe 82 PID 2724 wrote to memory of 4876 2724 6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe 82 PID 2724 wrote to memory of 4876 2724 6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe 82 PID 4876 wrote to memory of 1464 4876 Jmpngk32.exe 83 PID 4876 wrote to memory of 1464 4876 Jmpngk32.exe 83 PID 4876 wrote to memory of 1464 4876 Jmpngk32.exe 83 PID 1464 wrote to memory of 3556 1464 Jbmfoa32.exe 84 PID 1464 wrote to memory of 3556 1464 Jbmfoa32.exe 84 PID 1464 wrote to memory of 3556 1464 Jbmfoa32.exe 84 PID 3556 wrote to memory of 3832 3556 Jigollag.exe 85 PID 3556 wrote to memory of 3832 3556 Jigollag.exe 85 PID 3556 wrote to memory of 3832 3556 Jigollag.exe 85 PID 3832 wrote to memory of 1012 3832 Jdmcidam.exe 86 PID 3832 wrote to memory of 1012 3832 Jdmcidam.exe 86 PID 3832 wrote to memory of 1012 3832 Jdmcidam.exe 86 PID 1012 wrote to memory of 2836 1012 Jkfkfohj.exe 87 PID 1012 wrote to memory of 2836 1012 Jkfkfohj.exe 87 PID 1012 wrote to memory of 2836 1012 Jkfkfohj.exe 87 PID 2836 wrote to memory of 4680 2836 Kpccnefa.exe 88 PID 2836 wrote to memory of 4680 2836 Kpccnefa.exe 88 PID 2836 wrote to memory of 4680 2836 Kpccnefa.exe 88 PID 4680 wrote to memory of 1056 4680 Kbapjafe.exe 89 PID 4680 wrote to memory of 1056 4680 Kbapjafe.exe 89 PID 4680 wrote to memory of 1056 4680 Kbapjafe.exe 89 PID 1056 wrote to memory of 4268 1056 Kilhgk32.exe 90 PID 1056 wrote to memory of 4268 1056 Kilhgk32.exe 90 PID 1056 wrote to memory of 4268 1056 Kilhgk32.exe 90 PID 4268 wrote to memory of 2180 4268 Kpepcedo.exe 91 PID 4268 wrote to memory of 2180 4268 Kpepcedo.exe 91 PID 4268 wrote to memory of 2180 4268 Kpepcedo.exe 91 PID 2180 wrote to memory of 3924 2180 Kkkdan32.exe 92 PID 2180 wrote to memory of 3924 2180 Kkkdan32.exe 92 PID 2180 wrote to memory of 3924 2180 Kkkdan32.exe 92 PID 3924 wrote to memory of 2740 3924 Kaemnhla.exe 93 PID 3924 wrote to memory of 2740 3924 Kaemnhla.exe 93 PID 3924 wrote to memory of 2740 3924 Kaemnhla.exe 93 PID 2740 wrote to memory of 4976 2740 Kdcijcke.exe 94 PID 2740 wrote to memory of 4976 2740 Kdcijcke.exe 94 PID 2740 wrote to memory of 4976 2740 Kdcijcke.exe 94 PID 4976 wrote to memory of 2640 4976 Kknafn32.exe 95 PID 4976 wrote to memory of 2640 4976 Kknafn32.exe 95 PID 4976 wrote to memory of 2640 4976 Kknafn32.exe 95 PID 2640 wrote to memory of 1664 2640 Kagichjo.exe 96 PID 2640 wrote to memory of 1664 2640 Kagichjo.exe 96 PID 2640 wrote to memory of 1664 2640 Kagichjo.exe 96 PID 1664 wrote to memory of 4176 1664 Kcifkp32.exe 97 PID 1664 wrote to memory of 4176 1664 Kcifkp32.exe 97 PID 1664 wrote to memory of 4176 1664 Kcifkp32.exe 97 PID 4176 wrote to memory of 1436 4176 Kkpnlm32.exe 98 PID 4176 wrote to memory of 1436 4176 Kkpnlm32.exe 98 PID 4176 wrote to memory of 1436 4176 Kkpnlm32.exe 98 PID 1436 wrote to memory of 4884 1436 Kajfig32.exe 99 PID 1436 wrote to memory of 4884 1436 Kajfig32.exe 99 PID 1436 wrote to memory of 4884 1436 Kajfig32.exe 99 PID 4884 wrote to memory of 3512 4884 Kckbqpnj.exe 100 PID 4884 wrote to memory of 3512 4884 Kckbqpnj.exe 100 PID 4884 wrote to memory of 3512 4884 Kckbqpnj.exe 100 PID 3512 wrote to memory of 4628 3512 Lmqgnhmp.exe 101 PID 3512 wrote to memory of 4628 3512 Lmqgnhmp.exe 101 PID 3512 wrote to memory of 4628 3512 Lmqgnhmp.exe 101 PID 4628 wrote to memory of 2624 4628 Lcmofolg.exe 102 PID 4628 wrote to memory of 2624 4628 Lcmofolg.exe 102 PID 4628 wrote to memory of 2624 4628 Lcmofolg.exe 102 PID 2624 wrote to memory of 2732 2624 Lkdggmlj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6563c2a5af62e4f5366abd1a9fea4b50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe23⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe24⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe25⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe26⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe28⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe29⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe30⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe31⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe32⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe33⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe34⤵PID:4556
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe36⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe38⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe39⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe40⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe41⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe42⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe43⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe44⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe46⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe47⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe48⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe49⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe51⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe52⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe53⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe54⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe55⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe56⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe57⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe58⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe59⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe61⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe62⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe63⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe64⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe65⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe67⤵PID:696
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe68⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe69⤵PID:5008
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe70⤵PID:4392
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe71⤵PID:224
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe72⤵PID:2352
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe73⤵PID:1628
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe74⤵PID:1916
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe75⤵PID:2956
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe76⤵
- Modifies registry class
PID:3676 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe77⤵PID:3516
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe78⤵PID:3640
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe79⤵PID:4328
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe80⤵PID:3376
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe81⤵PID:2096
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe82⤵PID:1424
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe83⤵PID:1196
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe84⤵PID:680
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe85⤵PID:4060
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe86⤵PID:3340
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe87⤵PID:4356
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe88⤵PID:3880
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe89⤵PID:532
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe90⤵PID:5128
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe91⤵PID:5172
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe92⤵PID:5216
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe93⤵PID:5260
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe94⤵PID:5296
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe95⤵PID:5356
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe96⤵PID:5396
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe97⤵PID:5444
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe98⤵PID:5512
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe99⤵PID:5560
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe100⤵PID:5620
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe101⤵PID:5672
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe103⤵PID:5768
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe104⤵PID:5844
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe105⤵PID:5896
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe106⤵PID:5972
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe108⤵PID:6068
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe109⤵PID:6112
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe110⤵PID:5100
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe111⤵PID:5180
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe112⤵PID:5248
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe113⤵PID:5352
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe114⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe115⤵PID:5496
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe116⤵PID:5592
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe117⤵PID:5704
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe118⤵PID:5760
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe119⤵PID:5872
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe120⤵PID:5956
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe121⤵PID:6052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-