Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 14:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60191593678d820a2c5037d35494be00_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
60191593678d820a2c5037d35494be00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
60191593678d820a2c5037d35494be00_NeikiAnalytics.exe
-
Size
123KB
-
MD5
60191593678d820a2c5037d35494be00
-
SHA1
f9dc147d588d21e3f6ea179741f85a1bcf20b062
-
SHA256
467347b7c1b5d70e0f08abca2a641f9f3b3e77c8c0e8a2f92ac407e06f915a20
-
SHA512
8d8797ecbb423359327ae263232c33fc5eb0218b2b9c7233ac16aa33689729a5cf843368f975c18fb6401a7bc3c2040a32282096cbde46749d8f15f078983198
-
SSDEEP
3072:HD205nQocFhqZTGWiRYSa9rR85DEn5k7r8:j20JJcXqZ6Wi4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhmhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblpek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbmibhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miemjaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlefklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpnhfhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedoge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agoabn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chmeobkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgdgnbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqpgdfnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceoibflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfoafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfifmnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jioaqfcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcmabg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcicmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjghpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlaegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocpgod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpablkhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deoaid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljcmlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ildkgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icplcpgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdckfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqpak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpkoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlopkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njciko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cliaoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liimncmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcijeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkhibmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Migjoaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeiofcji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemlmgnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbcilkjg.exe -
Executes dropped EXE 64 IoCs
pid Process 4632 Qecppkdm.exe 4104 Qkmhlekj.exe 1152 Qnkdhpjn.exe 1676 Qbimoo32.exe 1528 Acjjfggb.exe 2380 Aanjpk32.exe 2104 Anbkio32.exe 1744 Aelcfilb.exe 1760 Alfkbc32.exe 4048 Aacckjaf.exe 692 Alhhhcal.exe 4056 Aealah32.exe 4124 Bahmfj32.exe 1304 Blmacb32.exe 3352 Beeflhdh.exe 4864 Behbag32.exe 768 Bjdkjo32.exe 3260 Bopgjmhe.exe 2340 Bhikcb32.exe 2460 Bjghpn32.exe 5060 Baaplhef.exe 3768 Bemlmgnp.exe 4028 Bdolhc32.exe 336 Bhkhibmc.exe 1248 Bkidenlg.exe 3492 Boepel32.exe 4268 Cacmah32.exe 2336 Ceoibflm.exe 548 Cdainc32.exe 1804 Chmeobkq.exe 628 Cliaoq32.exe 4736 Cbcilkjg.exe 224 Cafigg32.exe 3068 Ceaehfjj.exe 4416 Cddecc32.exe 1368 Chpada32.exe 824 Cknnpm32.exe 2824 Cojjqlpk.exe 1260 Cbefaj32.exe 4648 Cahfmgoo.exe 1392 Cdfbibnb.exe 1888 Chbnia32.exe 864 Clnjjpod.exe 4492 Ckpjfm32.exe 1432 Cdiooblp.exe 4952 Ckcgkldl.exe 3588 Cehkhecb.exe 1104 Cdkldb32.exe 4060 Clbceo32.exe 3464 Ckedalaj.exe 4544 Doqpak32.exe 2556 Dbllbibl.exe 3488 Dekhneap.exe 1704 Ddmhja32.exe 4120 Dldpkoil.exe 3496 Dkgqfl32.exe 220 Dboigi32.exe 3812 Demecd32.exe 4904 Dlgmpogj.exe 1680 Dadeieea.exe 5036 Deoaid32.exe 2308 Dlijfneg.exe 3064 Dohfbj32.exe 1148 Dccbbhld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bcjlcn32.exe Beglgani.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Hkfoeega.exe File created C:\Windows\SysWOW64\Jfcbjk32.exe Jbhfjljd.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Lffhfh32.exe File created C:\Windows\SysWOW64\Gbmhofmq.dll Pgioqq32.exe File created C:\Windows\SysWOW64\Cdfbibnb.exe Cahfmgoo.exe File opened for modification C:\Windows\SysWOW64\Gkmlofol.exe Gdcdbl32.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Bhgejlhj.dll Behbag32.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hckjacjg.exe File opened for modification C:\Windows\SysWOW64\Kmncnb32.exe Kibgmdcn.exe File opened for modification C:\Windows\SysWOW64\Lenamdem.exe Lfkaag32.exe File created C:\Windows\SysWOW64\Idodkeom.dll Npcoakfp.exe File opened for modification C:\Windows\SysWOW64\Ojoign32.exe Ofcmfodb.exe File created C:\Windows\SysWOW64\Cogflbdn.dll Dhhnpjmh.exe File created C:\Windows\SysWOW64\Oammoc32.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Fafkecel.exe Fcckif32.exe File created C:\Windows\SysWOW64\Lnhjmp32.dll Kboljk32.exe File opened for modification C:\Windows\SysWOW64\Ocbddc32.exe Odocigqg.exe File created C:\Windows\SysWOW64\Amjknl32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Flceckoj.exe Fhgjblfq.exe File created C:\Windows\SysWOW64\Pflplnlg.exe Pgioqq32.exe File created C:\Windows\SysWOW64\Kefkme32.exe Kbhoqj32.exe File opened for modification C:\Windows\SysWOW64\Pgioqq32.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Qjoankoi.exe Qfcfml32.exe File created C:\Windows\SysWOW64\Aeiofcji.exe Aqncedbp.exe File created C:\Windows\SysWOW64\Ajfhnjhq.exe Aclpap32.exe File created C:\Windows\SysWOW64\Belebq32.exe Bapiabak.exe File opened for modification C:\Windows\SysWOW64\Ncianepl.exe Ndfqbhia.exe File opened for modification C:\Windows\SysWOW64\Mlhbal32.exe Menjdbgj.exe File created C:\Windows\SysWOW64\Ogbipa32.exe Oddmdf32.exe File created C:\Windows\SysWOW64\Panfqmhb.dll Pfhfan32.exe File created C:\Windows\SysWOW64\Dpqdba32.dll Bhikcb32.exe File created C:\Windows\SysWOW64\Bilonkon.dll Cdhhdlid.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Kimnbd32.exe Kfoafi32.exe File opened for modification C:\Windows\SysWOW64\Mdckfk32.exe Lphoelqn.exe File created C:\Windows\SysWOW64\Qciaajej.dll Qceiaa32.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Fkgoikdb.dll Imdgqfbd.exe File created C:\Windows\SysWOW64\Dedkdcie.exe Dceohhja.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Fmfldb32.dll Chbnia32.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Bemlmgnp.exe File opened for modification C:\Windows\SysWOW64\Kmkfhc32.exe Kedoge32.exe File opened for modification C:\Windows\SysWOW64\Lbmhlihl.exe Lpnlpnih.exe File created C:\Windows\SysWOW64\Pmoahijl.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Acjjfggb.exe Qbimoo32.exe File opened for modification C:\Windows\SysWOW64\Nfgmjqop.exe Ngdmod32.exe File created C:\Windows\SysWOW64\Eelcja32.dll Edkdkplj.exe File created C:\Windows\SysWOW64\Hobkfd32.exe Hkfoeega.exe File created C:\Windows\SysWOW64\Bgempgqo.dll Baaplhef.exe File opened for modification C:\Windows\SysWOW64\Nlmllkja.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Qnhahj32.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File opened for modification C:\Windows\SysWOW64\Llcpoo32.exe Liddbc32.exe File created C:\Windows\SysWOW64\Cbeedbdm.dll Llcpoo32.exe File created C:\Windows\SysWOW64\Mgcail32.dll Calhnpgn.exe File created C:\Windows\SysWOW64\Gfngap32.exe Gcojed32.exe File created C:\Windows\SysWOW64\Papbpdoi.dll Qjoankoi.exe File created C:\Windows\SysWOW64\Aglemn32.exe Acqimo32.exe File created C:\Windows\SysWOW64\Ohfjnoma.dll Ippggbck.exe File created C:\Windows\SysWOW64\Bnhjohkb.exe Bjmnoi32.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bmemac32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12580 12292 WerFault.exe 657 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll" Kiidgeki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jfcbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocpgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll" Ngmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkhibmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Febgea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfeopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klljnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anbkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll" Lljfpnjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lphoelqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll" Aelcfilb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll" Medgncoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnqbanmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpj32.dll" Gcddpdpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfgjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" Pgioqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhocqigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qffbbldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpbmco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfkaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alhhhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Daconoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aneonqmj.dll" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcfhof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjkaiib.dll" Alfkbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecandfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laapnj32.dll" Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehedfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhcpgmjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckjacjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jimekgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcbihpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" Jcioiood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meiaib32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 4632 1428 60191593678d820a2c5037d35494be00_NeikiAnalytics.exe 83 PID 1428 wrote to memory of 4632 1428 60191593678d820a2c5037d35494be00_NeikiAnalytics.exe 83 PID 1428 wrote to memory of 4632 1428 60191593678d820a2c5037d35494be00_NeikiAnalytics.exe 83 PID 4632 wrote to memory of 4104 4632 Qecppkdm.exe 84 PID 4632 wrote to memory of 4104 4632 Qecppkdm.exe 84 PID 4632 wrote to memory of 4104 4632 Qecppkdm.exe 84 PID 4104 wrote to memory of 1152 4104 Qkmhlekj.exe 85 PID 4104 wrote to memory of 1152 4104 Qkmhlekj.exe 85 PID 4104 wrote to memory of 1152 4104 Qkmhlekj.exe 85 PID 1152 wrote to memory of 1676 1152 Qnkdhpjn.exe 86 PID 1152 wrote to memory of 1676 1152 Qnkdhpjn.exe 86 PID 1152 wrote to memory of 1676 1152 Qnkdhpjn.exe 86 PID 1676 wrote to memory of 1528 1676 Qbimoo32.exe 87 PID 1676 wrote to memory of 1528 1676 Qbimoo32.exe 87 PID 1676 wrote to memory of 1528 1676 Qbimoo32.exe 87 PID 1528 wrote to memory of 2380 1528 Acjjfggb.exe 88 PID 1528 wrote to memory of 2380 1528 Acjjfggb.exe 88 PID 1528 wrote to memory of 2380 1528 Acjjfggb.exe 88 PID 2380 wrote to memory of 2104 2380 Aanjpk32.exe 89 PID 2380 wrote to memory of 2104 2380 Aanjpk32.exe 89 PID 2380 wrote to memory of 2104 2380 Aanjpk32.exe 89 PID 2104 wrote to memory of 1744 2104 Anbkio32.exe 90 PID 2104 wrote to memory of 1744 2104 Anbkio32.exe 90 PID 2104 wrote to memory of 1744 2104 Anbkio32.exe 90 PID 1744 wrote to memory of 1760 1744 Aelcfilb.exe 91 PID 1744 wrote to memory of 1760 1744 Aelcfilb.exe 91 PID 1744 wrote to memory of 1760 1744 Aelcfilb.exe 91 PID 1760 wrote to memory of 4048 1760 Alfkbc32.exe 92 PID 1760 wrote to memory of 4048 1760 Alfkbc32.exe 92 PID 1760 wrote to memory of 4048 1760 Alfkbc32.exe 92 PID 4048 wrote to memory of 692 4048 Aacckjaf.exe 93 PID 4048 wrote to memory of 692 4048 Aacckjaf.exe 93 PID 4048 wrote to memory of 692 4048 Aacckjaf.exe 93 PID 692 wrote to memory of 4056 692 Alhhhcal.exe 94 PID 692 wrote to memory of 4056 692 Alhhhcal.exe 94 PID 692 wrote to memory of 4056 692 Alhhhcal.exe 94 PID 4056 wrote to memory of 4124 4056 Aealah32.exe 95 PID 4056 wrote to memory of 4124 4056 Aealah32.exe 95 PID 4056 wrote to memory of 4124 4056 Aealah32.exe 95 PID 4124 wrote to memory of 1304 4124 Bahmfj32.exe 97 PID 4124 wrote to memory of 1304 4124 Bahmfj32.exe 97 PID 4124 wrote to memory of 1304 4124 Bahmfj32.exe 97 PID 1304 wrote to memory of 3352 1304 Blmacb32.exe 98 PID 1304 wrote to memory of 3352 1304 Blmacb32.exe 98 PID 1304 wrote to memory of 3352 1304 Blmacb32.exe 98 PID 3352 wrote to memory of 4864 3352 Beeflhdh.exe 99 PID 3352 wrote to memory of 4864 3352 Beeflhdh.exe 99 PID 3352 wrote to memory of 4864 3352 Beeflhdh.exe 99 PID 4864 wrote to memory of 768 4864 Behbag32.exe 100 PID 4864 wrote to memory of 768 4864 Behbag32.exe 100 PID 4864 wrote to memory of 768 4864 Behbag32.exe 100 PID 768 wrote to memory of 3260 768 Bjdkjo32.exe 101 PID 768 wrote to memory of 3260 768 Bjdkjo32.exe 101 PID 768 wrote to memory of 3260 768 Bjdkjo32.exe 101 PID 3260 wrote to memory of 2340 3260 Bopgjmhe.exe 102 PID 3260 wrote to memory of 2340 3260 Bopgjmhe.exe 102 PID 3260 wrote to memory of 2340 3260 Bopgjmhe.exe 102 PID 2340 wrote to memory of 2460 2340 Bhikcb32.exe 103 PID 2340 wrote to memory of 2460 2340 Bhikcb32.exe 103 PID 2340 wrote to memory of 2460 2340 Bhikcb32.exe 103 PID 2460 wrote to memory of 5060 2460 Bjghpn32.exe 104 PID 2460 wrote to memory of 5060 2460 Bjghpn32.exe 104 PID 2460 wrote to memory of 5060 2460 Bjghpn32.exe 104 PID 5060 wrote to memory of 3768 5060 Baaplhef.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\60191593678d820a2c5037d35494be00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\60191593678d820a2c5037d35494be00_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3768 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe24⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe26⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe27⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe28⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe30⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe34⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe35⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe36⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe37⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe38⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe39⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe40⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe42⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe44⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Ckpjfm32.exeC:\Windows\system32\Ckpjfm32.exe45⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe47⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe49⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe50⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe51⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe53⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe54⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe55⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe57⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe58⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe59⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe60⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe61⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe64⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe66⤵PID:3584
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe67⤵PID:1544
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe68⤵PID:4392
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe69⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe70⤵PID:2280
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe71⤵PID:4524
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe72⤵PID:3280
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe73⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe74⤵PID:4960
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe75⤵PID:4728
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe76⤵PID:2164
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe77⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe78⤵PID:4644
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe79⤵PID:3288
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe80⤵PID:2740
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe81⤵PID:1036
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe82⤵PID:4916
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe83⤵PID:3756
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe84⤵PID:884
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe85⤵PID:1328
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe86⤵PID:4232
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe87⤵PID:3576
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe88⤵PID:2808
-
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe89⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe91⤵PID:232
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe92⤵PID:3176
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe94⤵PID:5148
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe95⤵
- Drops file in System32 directory
PID:5188 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe96⤵PID:5236
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe97⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe98⤵PID:5320
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe99⤵PID:5364
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe100⤵PID:5412
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe101⤵PID:5448
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe102⤵
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe103⤵PID:5540
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe105⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe106⤵PID:5668
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe107⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe108⤵PID:5744
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe109⤵PID:5792
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe110⤵PID:5836
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe111⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe112⤵PID:5928
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe113⤵PID:5968
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe114⤵PID:6028
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe115⤵PID:6068
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe117⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe118⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe119⤵PID:5248
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe120⤵PID:5312
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe121⤵PID:5404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-