Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 06:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe
-
Size
96KB
-
MD5
28b698e04eb66557a7883911237505a0
-
SHA1
f72ee0ced68c42f26bfa436623007e9fd5a86db7
-
SHA256
892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5
-
SHA512
485d5ed8f297fde6bbf766bb5ae514adb5f1334658c632b9145a2d396477f98ce392a21bfef1e8530dfbe9202d195fea671b9336b0cd0dc48e6346405eb30304
-
SSDEEP
1536:QmWy2uAAPdLtv9O2lShbrAet/UkUfvVHLpTKK26+GzQAwkkaAjWbjtKBvU:K+VzOZtMhfvtL7wkkVwtCU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdeoemeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blmacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fooeif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfoeega.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edbklofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekacmjgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glebhjlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbdjfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgqeappe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gokdeeec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdmod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chagok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agffge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpppkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aldomc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlnbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjmdigk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeidoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ippggbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngjnmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibnccmbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deagdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogljjiei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aminee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeopki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhbgqohi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ambgef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippggbck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chcddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pengdk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2976 Mnapdf32.exe 3616 Mdkhapfj.exe 1376 Mcnhmm32.exe 5092 Mkepnjng.exe 776 Maohkd32.exe 4320 Mpaifalo.exe 2852 Mglack32.exe 1624 Mjjmog32.exe 2700 Maaepd32.exe 1336 Mdpalp32.exe 1940 Mgnnhk32.exe 3564 Nnhfee32.exe 3284 Nqfbaq32.exe 5080 Nceonl32.exe 4916 Njogjfoj.exe 4928 Nqiogp32.exe 2548 Ncgkcl32.exe 964 Ngcgcjnc.exe 4960 Nbhkac32.exe 3688 Ndghmo32.exe 4400 Ngedij32.exe 3432 Nnolfdcn.exe 4736 Ndidbn32.exe 3988 Nggqoj32.exe 2452 Nnaikd32.exe 4028 Ndkahnhh.exe 4128 Ogjmdigk.exe 2536 Ondeac32.exe 376 Oqbamo32.exe 372 Ogljjiei.exe 4312 Ojjffddl.exe 4316 Oqdoboli.exe 3940 Odpjcm32.exe 980 Ogogoi32.exe 784 Onholckc.exe 4940 Odbgim32.exe 1080 Ogaceh32.exe 1088 Onklabip.exe 3132 Oqihnn32.exe 4808 Odednmpm.exe 232 Okolkg32.exe 4704 Ojalgcnd.exe 968 Onmhgb32.exe 4920 Oqkdcn32.exe 1132 Pgemphmn.exe 2860 Pkaiqf32.exe 2408 Pbkamqmd.exe 3824 Pqnaim32.exe 1456 Pclneicb.exe 5032 Pjffbc32.exe 2040 Pqpnombl.exe 1536 Pcojkhap.exe 4108 Pgjfkg32.exe 3076 Pjhbgb32.exe 4324 Pbpjhp32.exe 2944 Pengdk32.exe 4284 Pkhoae32.exe 4716 Pbbgnpgl.exe 2468 Pcccfh32.exe 3728 Pkjlge32.exe 4352 Pjmlbbdg.exe 2356 Pbddcoei.exe 2352 Qecppkdm.exe 1872 Qcepkg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mjhmqf32.dll Hmhhehlb.exe File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Mgcail32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Dekhneap.exe Dbllbibl.exe File created C:\Windows\SysWOW64\Bbnpqk32.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Npfhbbpk.dll Ddmhja32.exe File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gkkojgao.exe File created C:\Windows\SysWOW64\Pacghh32.dll Iemppiab.exe File created C:\Windows\SysWOW64\Ejnjpohk.dll Kimnbd32.exe File opened for modification C:\Windows\SysWOW64\Aepefb32.exe Aminee32.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Cjbpaf32.exe File created C:\Windows\SysWOW64\Mgnnhk32.exe Mdpalp32.exe File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Bdolhc32.exe File created C:\Windows\SysWOW64\Gbmgladp.dll Njnpppkn.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bhhdil32.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Pkjlge32.exe Pcccfh32.exe File created C:\Windows\SysWOW64\Elhcgeja.dll Gcimkc32.exe File created C:\Windows\SysWOW64\Kdeoemeg.exe Kmkfhc32.exe File created C:\Windows\SysWOW64\Oomibind.dll Pmdkch32.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pkhoae32.exe File created C:\Windows\SysWOW64\Fnelfilp.dll Maohkd32.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Ngedij32.exe File created C:\Windows\SysWOW64\Ohjgdmkj.dll Fkffog32.exe File opened for modification C:\Windows\SysWOW64\Kepelfam.exe Kdnidn32.exe File created C:\Windows\SysWOW64\Mdmnlj32.exe Mlefklpj.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Ffcnippo.dll Aeklkchg.exe File created C:\Windows\SysWOW64\Maohkd32.exe Mkepnjng.exe File created C:\Windows\SysWOW64\Pldhcm32.dll Iefioj32.exe File created C:\Windows\SysWOW64\Jcefno32.exe Jlnnmb32.exe File created C:\Windows\SysWOW64\Bdkcmdhp.exe Bbifelba.exe File opened for modification C:\Windows\SysWOW64\Anbkio32.exe Aldomc32.exe File created C:\Windows\SysWOW64\Bbifelba.exe Bjbndobo.exe File created C:\Windows\SysWOW64\Cbjoljdo.exe Ckcgkldl.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Echknh32.exe File opened for modification C:\Windows\SysWOW64\Jmpgldhg.exe Jehokgge.exe File created C:\Windows\SysWOW64\Klqmnp32.dll Pkjlge32.exe File opened for modification C:\Windows\SysWOW64\Flnlhk32.exe Faihkbci.exe File created C:\Windows\SysWOW64\Hmenjlfh.dll Hbpgbo32.exe File created C:\Windows\SysWOW64\Qgppolie.dll Ojaelm32.exe File created C:\Windows\SysWOW64\Beglgani.exe Bmpcfdmg.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Ldjicq32.dll Gfbploob.exe File created C:\Windows\SysWOW64\Mnjgghdi.dll Aeniabfd.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bagflcje.exe File created C:\Windows\SysWOW64\Bgcknmop.exe Beeoaapl.exe File created C:\Windows\SysWOW64\Pkajcp32.dll Pjhbgb32.exe File created C:\Windows\SysWOW64\Hflcbngh.exe Hbpgbo32.exe File opened for modification C:\Windows\SysWOW64\Njnpppkn.exe Ncdgcf32.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cdabcm32.exe File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe Chagok32.exe File created C:\Windows\SysWOW64\Fdmlkkap.dll Pbddcoei.exe File created C:\Windows\SysWOW64\Chmeobkq.exe Ceoibflm.exe File created C:\Windows\SysWOW64\Oapgek32.dll Cbjoljdo.exe File created C:\Windows\SysWOW64\Iifokh32.exe Ifgbnlmj.exe File opened for modification C:\Windows\SysWOW64\Jcefno32.exe Jlnnmb32.exe File created C:\Windows\SysWOW64\Ojaelm32.exe Ogbipa32.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Chcddk32.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Bblckl32.exe Bjdkjo32.exe File created C:\Windows\SysWOW64\Gfpcgpae.exe Gcagkdba.exe File created C:\Windows\SysWOW64\Lbkdpj32.dll Gohhpe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10424 10656 WerFault.exe 540 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbjcolha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdpmpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkahnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gohhpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibnccmbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" Bmpcfdmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohnjkj.dll" Qjbena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpflfc32.dll" Anpncp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eefhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aglemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onmhgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaepqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imoneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiqbfn32.dll" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnobj32.dll" Alfkbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajkhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkgqfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fooeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipeomnnj.dll" Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhmqf32.dll" Hmhhehlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfaedkdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alfkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll" Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nphhmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qddfkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfkqkek.dll" Ahkobekf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dammlf32.dll" Hijooifk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" Onjegled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmefbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapgek32.dll" Cbjoljdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cogmkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbbmhgf.dll" Bdkcmdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imfdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdcbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keblci32.dll" Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmkog32.dll" Ecmeig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjljbfog.dll" Fhemmlhc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2976 1148 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe 83 PID 1148 wrote to memory of 2976 1148 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe 83 PID 1148 wrote to memory of 2976 1148 892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe 83 PID 2976 wrote to memory of 3616 2976 Mnapdf32.exe 84 PID 2976 wrote to memory of 3616 2976 Mnapdf32.exe 84 PID 2976 wrote to memory of 3616 2976 Mnapdf32.exe 84 PID 3616 wrote to memory of 1376 3616 Mdkhapfj.exe 85 PID 3616 wrote to memory of 1376 3616 Mdkhapfj.exe 85 PID 3616 wrote to memory of 1376 3616 Mdkhapfj.exe 85 PID 1376 wrote to memory of 5092 1376 Mcnhmm32.exe 86 PID 1376 wrote to memory of 5092 1376 Mcnhmm32.exe 86 PID 1376 wrote to memory of 5092 1376 Mcnhmm32.exe 86 PID 5092 wrote to memory of 776 5092 Mkepnjng.exe 87 PID 5092 wrote to memory of 776 5092 Mkepnjng.exe 87 PID 5092 wrote to memory of 776 5092 Mkepnjng.exe 87 PID 776 wrote to memory of 4320 776 Maohkd32.exe 88 PID 776 wrote to memory of 4320 776 Maohkd32.exe 88 PID 776 wrote to memory of 4320 776 Maohkd32.exe 88 PID 4320 wrote to memory of 2852 4320 Mpaifalo.exe 89 PID 4320 wrote to memory of 2852 4320 Mpaifalo.exe 89 PID 4320 wrote to memory of 2852 4320 Mpaifalo.exe 89 PID 2852 wrote to memory of 1624 2852 Mglack32.exe 90 PID 2852 wrote to memory of 1624 2852 Mglack32.exe 90 PID 2852 wrote to memory of 1624 2852 Mglack32.exe 90 PID 1624 wrote to memory of 2700 1624 Mjjmog32.exe 91 PID 1624 wrote to memory of 2700 1624 Mjjmog32.exe 91 PID 1624 wrote to memory of 2700 1624 Mjjmog32.exe 91 PID 2700 wrote to memory of 1336 2700 Maaepd32.exe 92 PID 2700 wrote to memory of 1336 2700 Maaepd32.exe 92 PID 2700 wrote to memory of 1336 2700 Maaepd32.exe 92 PID 1336 wrote to memory of 1940 1336 Mdpalp32.exe 93 PID 1336 wrote to memory of 1940 1336 Mdpalp32.exe 93 PID 1336 wrote to memory of 1940 1336 Mdpalp32.exe 93 PID 1940 wrote to memory of 3564 1940 Mgnnhk32.exe 94 PID 1940 wrote to memory of 3564 1940 Mgnnhk32.exe 94 PID 1940 wrote to memory of 3564 1940 Mgnnhk32.exe 94 PID 3564 wrote to memory of 3284 3564 Nnhfee32.exe 95 PID 3564 wrote to memory of 3284 3564 Nnhfee32.exe 95 PID 3564 wrote to memory of 3284 3564 Nnhfee32.exe 95 PID 3284 wrote to memory of 5080 3284 Nqfbaq32.exe 96 PID 3284 wrote to memory of 5080 3284 Nqfbaq32.exe 96 PID 3284 wrote to memory of 5080 3284 Nqfbaq32.exe 96 PID 5080 wrote to memory of 4916 5080 Nceonl32.exe 97 PID 5080 wrote to memory of 4916 5080 Nceonl32.exe 97 PID 5080 wrote to memory of 4916 5080 Nceonl32.exe 97 PID 4916 wrote to memory of 4928 4916 Njogjfoj.exe 98 PID 4916 wrote to memory of 4928 4916 Njogjfoj.exe 98 PID 4916 wrote to memory of 4928 4916 Njogjfoj.exe 98 PID 4928 wrote to memory of 2548 4928 Nqiogp32.exe 99 PID 4928 wrote to memory of 2548 4928 Nqiogp32.exe 99 PID 4928 wrote to memory of 2548 4928 Nqiogp32.exe 99 PID 2548 wrote to memory of 964 2548 Ncgkcl32.exe 100 PID 2548 wrote to memory of 964 2548 Ncgkcl32.exe 100 PID 2548 wrote to memory of 964 2548 Ncgkcl32.exe 100 PID 964 wrote to memory of 4960 964 Ngcgcjnc.exe 101 PID 964 wrote to memory of 4960 964 Ngcgcjnc.exe 101 PID 964 wrote to memory of 4960 964 Ngcgcjnc.exe 101 PID 4960 wrote to memory of 3688 4960 Nbhkac32.exe 102 PID 4960 wrote to memory of 3688 4960 Nbhkac32.exe 102 PID 4960 wrote to memory of 3688 4960 Nbhkac32.exe 102 PID 3688 wrote to memory of 4400 3688 Ndghmo32.exe 104 PID 3688 wrote to memory of 4400 3688 Ndghmo32.exe 104 PID 3688 wrote to memory of 4400 3688 Ndghmo32.exe 104 PID 4400 wrote to memory of 3432 4400 Ngedij32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\892ea8bf695e9473c1de09dd1dec7c63e99ecf014d2c7b66d41fa11fde8084b5_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe23⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe24⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3988 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe26⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe29⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe30⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe32⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe33⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe34⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe35⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe36⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe38⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe41⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe42⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe43⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe46⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe47⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe48⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe49⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe50⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe51⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe52⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe53⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe54⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3076 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe56⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4284 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe59⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe62⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe64⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe65⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe66⤵PID:5012
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe67⤵PID:4432
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe68⤵PID:4728
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe69⤵PID:3120
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe70⤵PID:1860
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe71⤵
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe72⤵PID:3384
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe73⤵PID:1000
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4800 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe75⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe76⤵
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe77⤵PID:1356
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe78⤵PID:4376
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe80⤵PID:1256
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3820 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe83⤵PID:1640
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe84⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe85⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe86⤵PID:4616
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe87⤵PID:3464
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4556 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe89⤵PID:3544
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe90⤵
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe91⤵PID:4112
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe92⤵
- Modifies registry class
PID:3304 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe93⤵PID:3012
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe94⤵PID:5132
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe95⤵PID:5176
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe96⤵PID:5216
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe98⤵PID:5308
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe99⤵PID:5352
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5400 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe101⤵PID:5452
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe102⤵PID:5496
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe103⤵PID:5528
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe104⤵
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe105⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe106⤵
- Modifies registry class
PID:5672 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe108⤵
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe109⤵PID:5812
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe110⤵PID:5852
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe111⤵PID:5904
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe112⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe113⤵PID:6024
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe114⤵PID:6064
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe115⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe116⤵PID:3380
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe117⤵PID:5200
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe118⤵PID:5300
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe119⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe120⤵PID:5436
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe121⤵PID:5504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-