Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe
-
Size
208KB
-
MD5
52c0e685187d38c4c93e3a6f1ea10d30
-
SHA1
461ff5a533086676cc604ca19815952b83d296b7
-
SHA256
4b2de57dba4d2cf2d3dfe60db98e140a5a26deacdca8c68499a010c0be276d6b
-
SHA512
fa9ba8c4e3bf62b64ff5084c02923903df80f508418337bf91ca04a84bae515c0ac741e2f63d9a8438ba1c453baada90f1b14567ceb308a11f6c65b59e91b579
-
SSDEEP
6144:KbIhFQARFQtoLDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:KkzQU6TChtMtkM71r1MSXqPix55Kx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgehml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feimadoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agckiqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqdmghnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcdaehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaiffii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhildae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjohi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgpplf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noaeqjpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfgjbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijfkpnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijjekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfmfefni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphqji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqinm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lechkaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okiefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pphckb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eppobi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjjbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcbidcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocnlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkocol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkohchko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibmlc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbmfhbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloipmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkcackeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbnbemf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dggbcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijiopd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcibca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bflham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhopgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdqcenmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdokmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjpld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cefoni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedbcebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjakkmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiikpnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbhildae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdmcdhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcackeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpbkicl.exe -
Executes dropped EXE 64 IoCs
pid Process 2220 Ppjbmc32.exe 1868 Pmpolgoi.exe 664 Pdmdnadc.exe 2324 Qacameaj.exe 5068 Aaenbd32.exe 3304 Ahaceo32.exe 116 Apmhiq32.exe 852 Aaldccip.exe 1012 Baannc32.exe 652 Bdagpnbk.exe 1136 Bnlhncgi.exe 748 Boldhf32.exe 2764 Cammjakm.exe 4284 Cdmfllhn.exe 3600 Chkobkod.exe 1312 Cgqlcg32.exe 3624 Dkndie32.exe 4824 Dgeenfog.exe 1940 Dggbcf32.exe 1964 Dkekjdck.exe 4668 Dglkoeio.exe 4012 Eqgmmk32.exe 3532 Ekonpckp.exe 4256 Ebkbbmqj.exe 4716 Figgdg32.exe 4300 Fqeioiam.exe 4760 Feenjgfq.exe 4204 Giecfejd.exe 848 Hlmchoan.exe 1152 Hpkknmgd.exe 1712 Hbldphde.exe 4292 Ihkjno32.exe 1560 Ipdndloi.exe 2316 Ihpcinld.exe 2616 Ilnlom32.exe 2280 Jblmgf32.exe 1284 Jocnlg32.exe 2884 Joekag32.exe 2496 Jbccge32.exe 3512 Kedlip32.exe 2068 Klpakj32.exe 3432 Khgbqkhj.exe 2536 Kifojnol.exe 2132 Kiikpnmj.exe 3968 Lepleocn.exe 2160 Lafmjp32.exe 4016 Llnnmhfe.exe 4400 Lchfib32.exe 1192 Mcoljagj.exe 2076 Mpclce32.exe 1424 Mlljnf32.exe 796 Mjpjgj32.exe 3576 Njbgmjgl.exe 4868 Njedbjej.exe 4348 Noblkqca.exe 2636 Nijqcf32.exe 3400 Nmjfodne.exe 4952 Ocgkan32.exe 996 Oqklkbbi.exe 1600 Ockdmmoj.exe 2572 Pqbala32.exe 1504 Pmhbqbae.exe 3656 Piocecgj.exe 1904 Pfccogfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgeadjai.exe Bqkigp32.exe File created C:\Windows\SysWOW64\Nefmgogl.exe Nahdapae.exe File created C:\Windows\SysWOW64\Kinhljen.dll Cihjeq32.exe File created C:\Windows\SysWOW64\Hncbci32.dll Kcbkpj32.exe File created C:\Windows\SysWOW64\Ohobebig.exe Oaejhh32.exe File created C:\Windows\SysWOW64\Pljpbhin.dll Pdklebje.exe File opened for modification C:\Windows\SysWOW64\Klpakj32.exe Kedlip32.exe File created C:\Windows\SysWOW64\Enjfli32.exe Epffbd32.exe File created C:\Windows\SysWOW64\Jqofippg.exe Jjcqffkm.exe File created C:\Windows\SysWOW64\Fcdfimja.dll Ifleji32.exe File opened for modification C:\Windows\SysWOW64\Bqkigp32.exe Akopoi32.exe File created C:\Windows\SysWOW64\Dbdano32.exe Dilmeida.exe File created C:\Windows\SysWOW64\Ekonpckp.exe Eqgmmk32.exe File created C:\Windows\SysWOW64\Eemeqinf.dll Dcibca32.exe File opened for modification C:\Windows\SysWOW64\Nkjckkcg.exe Nbbnbemf.exe File created C:\Windows\SysWOW64\Mgnddp32.dll Cammjakm.exe File opened for modification C:\Windows\SysWOW64\Kbnlim32.exe Kdmlkfjb.exe File created C:\Windows\SysWOW64\Cjfclcpg.exe Cejjdlap.exe File created C:\Windows\SysWOW64\Ejfcjp32.dll Dlnlak32.exe File created C:\Windows\SysWOW64\Njedbjej.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Fiplni32.dll Cigkdmel.exe File created C:\Windows\SysWOW64\Plmamn32.dll Afdkfh32.exe File created C:\Windows\SysWOW64\Dlnlak32.exe Dpglmjoj.exe File created C:\Windows\SysWOW64\Acffllhk.dll Ppnenlka.exe File opened for modification C:\Windows\SysWOW64\Dcffnbee.exe Dkkaiphj.exe File created C:\Windows\SysWOW64\Adnilfnl.exe Aoapcood.exe File created C:\Windows\SysWOW64\Kncgmcgd.dll Oloipmfd.exe File created C:\Windows\SysWOW64\Dpkhci32.dll Fpckjlje.exe File created C:\Windows\SysWOW64\Lokldg32.exe Lechkaga.exe File created C:\Windows\SysWOW64\Hlmchoan.exe Giecfejd.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Cildom32.exe File created C:\Windows\SysWOW64\Fboecfii.exe Fkemfl32.exe File opened for modification C:\Windows\SysWOW64\Ifleji32.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Pldnki32.dll Jjakkmpk.exe File created C:\Windows\SysWOW64\Oigcebdh.dll Cnlpgibd.exe File created C:\Windows\SysWOW64\Deokja32.exe Cihjeq32.exe File created C:\Windows\SysWOW64\Cpclaedf.dll Hcedmkmp.exe File created C:\Windows\SysWOW64\Bbeobhlp.exe Blkgen32.exe File created C:\Windows\SysWOW64\Fqeioiam.exe Figgdg32.exe File opened for modification C:\Windows\SysWOW64\Hlmchoan.exe Giecfejd.exe File opened for modification C:\Windows\SysWOW64\Ocgkan32.exe Nmjfodne.exe File created C:\Windows\SysWOW64\Dghadidj.exe Dlcmgqdd.exe File opened for modification C:\Windows\SysWOW64\Jakchf32.exe Jjakkmpk.exe File opened for modification C:\Windows\SysWOW64\Mdddhlbl.exe Mdokmm32.exe File created C:\Windows\SysWOW64\Nopkoobi.dll Deejpjgc.exe File created C:\Windows\SysWOW64\Ddmhhd32.exe Ddklbd32.exe File created C:\Windows\SysWOW64\Fcbnpnme.exe Fnffhgon.exe File created C:\Windows\SysWOW64\Mhconp32.dll Dlqpaafg.exe File created C:\Windows\SysWOW64\Bggknnmj.dll Oggbfdog.exe File created C:\Windows\SysWOW64\Hmpfjpko.dll Pgcbbc32.exe File created C:\Windows\SysWOW64\Nlaakbkm.dll Pjahchpb.exe File created C:\Windows\SysWOW64\Lmaedcfh.dll Bbmbgb32.exe File created C:\Windows\SysWOW64\Oenflo32.dll Pmoagk32.exe File created C:\Windows\SysWOW64\Alpnde32.exe Acdioc32.exe File created C:\Windows\SysWOW64\Blknpdho.exe Bfoegm32.exe File opened for modification C:\Windows\SysWOW64\Nglcjfie.exe Naokbokn.exe File created C:\Windows\SysWOW64\Ciofjflg.dll Adnilfnl.exe File created C:\Windows\SysWOW64\Hhcajd32.dll Limpiomm.exe File opened for modification C:\Windows\SysWOW64\Giecfejd.exe Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Enlcahgh.exe Ecgodpgb.exe File created C:\Windows\SysWOW64\Nkebee32.exe Nonbqd32.exe File created C:\Windows\SysWOW64\Laffpi32.exe Ldbefe32.exe File opened for modification C:\Windows\SysWOW64\Biiobo32.exe Bigbmpco.exe File created C:\Windows\SysWOW64\Pohqjpee.dll Hqmggi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1640 5368 WerFault.exe 527 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phbolflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeaodnk.dll" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiijfll.dll" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlcmgqdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoapcood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnblldi.dll" Giecfejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjfdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmefomdo.dll" Qajlje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joekag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bigbmpco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbhhieao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnckooob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpjompqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijfkpnji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odaiodbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cigcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcffnbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fglnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdqfa32.dll" Dbbdip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcifmdeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlkafdco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoapcood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjghqbi.dll" Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbl32.dll" Aqilaplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgmpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll" Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll" Fglnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlidpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Llpchaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pkhhbbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlhaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll" Llkjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpicmhfo.dll" Mdokmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijiopd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkkaiphj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Japmcfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phajblpj.dll" Fifomlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdmmg32.dll" Omlkmign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmifkecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjlf32.dll" Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgjeppkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfcjp32.dll" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gchflq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqkigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocknbglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afnlpohj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okqbac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjcqffkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Nijqcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdngpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gheodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Deejpjgc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2220 4888 52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe 91 PID 4888 wrote to memory of 2220 4888 52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe 91 PID 4888 wrote to memory of 2220 4888 52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe 91 PID 2220 wrote to memory of 1868 2220 Ppjbmc32.exe 92 PID 2220 wrote to memory of 1868 2220 Ppjbmc32.exe 92 PID 2220 wrote to memory of 1868 2220 Ppjbmc32.exe 92 PID 1868 wrote to memory of 664 1868 Pmpolgoi.exe 93 PID 1868 wrote to memory of 664 1868 Pmpolgoi.exe 93 PID 1868 wrote to memory of 664 1868 Pmpolgoi.exe 93 PID 664 wrote to memory of 2324 664 Pdmdnadc.exe 94 PID 664 wrote to memory of 2324 664 Pdmdnadc.exe 94 PID 664 wrote to memory of 2324 664 Pdmdnadc.exe 94 PID 2324 wrote to memory of 5068 2324 Qacameaj.exe 95 PID 2324 wrote to memory of 5068 2324 Qacameaj.exe 95 PID 2324 wrote to memory of 5068 2324 Qacameaj.exe 95 PID 5068 wrote to memory of 3304 5068 Aaenbd32.exe 96 PID 5068 wrote to memory of 3304 5068 Aaenbd32.exe 96 PID 5068 wrote to memory of 3304 5068 Aaenbd32.exe 96 PID 3304 wrote to memory of 116 3304 Ahaceo32.exe 97 PID 3304 wrote to memory of 116 3304 Ahaceo32.exe 97 PID 3304 wrote to memory of 116 3304 Ahaceo32.exe 97 PID 116 wrote to memory of 852 116 Apmhiq32.exe 98 PID 116 wrote to memory of 852 116 Apmhiq32.exe 98 PID 116 wrote to memory of 852 116 Apmhiq32.exe 98 PID 852 wrote to memory of 1012 852 Aaldccip.exe 99 PID 852 wrote to memory of 1012 852 Aaldccip.exe 99 PID 852 wrote to memory of 1012 852 Aaldccip.exe 99 PID 1012 wrote to memory of 652 1012 Baannc32.exe 100 PID 1012 wrote to memory of 652 1012 Baannc32.exe 100 PID 1012 wrote to memory of 652 1012 Baannc32.exe 100 PID 652 wrote to memory of 1136 652 Bdagpnbk.exe 101 PID 652 wrote to memory of 1136 652 Bdagpnbk.exe 101 PID 652 wrote to memory of 1136 652 Bdagpnbk.exe 101 PID 1136 wrote to memory of 748 1136 Bnlhncgi.exe 102 PID 1136 wrote to memory of 748 1136 Bnlhncgi.exe 102 PID 1136 wrote to memory of 748 1136 Bnlhncgi.exe 102 PID 748 wrote to memory of 2764 748 Boldhf32.exe 103 PID 748 wrote to memory of 2764 748 Boldhf32.exe 103 PID 748 wrote to memory of 2764 748 Boldhf32.exe 103 PID 2764 wrote to memory of 4284 2764 Cammjakm.exe 104 PID 2764 wrote to memory of 4284 2764 Cammjakm.exe 104 PID 2764 wrote to memory of 4284 2764 Cammjakm.exe 104 PID 4284 wrote to memory of 3600 4284 Cdmfllhn.exe 105 PID 4284 wrote to memory of 3600 4284 Cdmfllhn.exe 105 PID 4284 wrote to memory of 3600 4284 Cdmfllhn.exe 105 PID 3600 wrote to memory of 1312 3600 Chkobkod.exe 106 PID 3600 wrote to memory of 1312 3600 Chkobkod.exe 106 PID 3600 wrote to memory of 1312 3600 Chkobkod.exe 106 PID 1312 wrote to memory of 3624 1312 Cgqlcg32.exe 107 PID 1312 wrote to memory of 3624 1312 Cgqlcg32.exe 107 PID 1312 wrote to memory of 3624 1312 Cgqlcg32.exe 107 PID 3624 wrote to memory of 4824 3624 Dkndie32.exe 108 PID 3624 wrote to memory of 4824 3624 Dkndie32.exe 108 PID 3624 wrote to memory of 4824 3624 Dkndie32.exe 108 PID 4824 wrote to memory of 1940 4824 Dgeenfog.exe 109 PID 4824 wrote to memory of 1940 4824 Dgeenfog.exe 109 PID 4824 wrote to memory of 1940 4824 Dgeenfog.exe 109 PID 1940 wrote to memory of 1964 1940 Dggbcf32.exe 110 PID 1940 wrote to memory of 1964 1940 Dggbcf32.exe 110 PID 1940 wrote to memory of 1964 1940 Dggbcf32.exe 110 PID 1964 wrote to memory of 4668 1964 Dkekjdck.exe 111 PID 1964 wrote to memory of 4668 1964 Dkekjdck.exe 111 PID 1964 wrote to memory of 4668 1964 Dkekjdck.exe 111 PID 4668 wrote to memory of 4012 4668 Dglkoeio.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\52c0e685187d38c4c93e3a6f1ea10d30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe24⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe25⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4716 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe27⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe30⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe31⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe32⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe33⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Ipdndloi.exeC:\Windows\system32\Ipdndloi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Ihpcinld.exeC:\Windows\system32\Ihpcinld.exe35⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe37⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Joekag32.exeC:\Windows\system32\Joekag32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe40⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe42⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe43⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe44⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe48⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe49⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe50⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe51⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe52⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe53⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe56⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe59⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ockdmmoj.exeC:\Windows\system32\Ockdmmoj.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe62⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe63⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe64⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe66⤵
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe67⤵PID:2340
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe68⤵PID:3300
-
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3124 -
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe71⤵PID:1484
-
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe72⤵PID:3876
-
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe73⤵PID:1848
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe74⤵PID:1028
-
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe75⤵PID:5128
-
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe76⤵PID:5192
-
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe77⤵PID:5260
-
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe78⤵PID:5316
-
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe79⤵PID:5364
-
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe81⤵PID:5456
-
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe82⤵PID:5500
-
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe83⤵PID:5548
-
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe84⤵PID:5584
-
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe86⤵PID:5696
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe88⤵PID:5784
-
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe89⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe90⤵
- Drops file in System32 directory
PID:5872 -
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe91⤵PID:5916
-
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe92⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe94⤵
- Modifies registry class
PID:6052 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe96⤵PID:6140
-
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe97⤵PID:5188
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe98⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe99⤵PID:5420
-
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe100⤵PID:5488
-
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe103⤵PID:5716
-
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe104⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe105⤵PID:5864
-
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe106⤵PID:5928
-
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe107⤵PID:6016
-
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe108⤵PID:6108
-
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe109⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe110⤵PID:5396
-
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe111⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe112⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe113⤵PID:5764
-
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe114⤵PID:5856
-
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe115⤵PID:6000
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe116⤵
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe117⤵PID:5360
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe118⤵PID:5568
-
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe119⤵PID:5776
-
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe120⤵PID:5924
-
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe121⤵PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-