Analysis
-
max time kernel
95s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 22:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe
-
Size
120KB
-
MD5
15520a71c88add902f005b60ca74e1a0
-
SHA1
5078357a5f2d57c086c0c853e8d1488166f6320a
-
SHA256
5160a97973af329230b1d451683f720d1b10482f3c0b425730d0a2f4467e1719
-
SHA512
b3260c518dbd7dd5a94d065c07629d47c61394b2eaf25b0c6550aff986948479c867e7be644c85562e0f0bb83e980c864f1381b6e2a74f8b9e7f09c490d0de5e
-
SSDEEP
3072:4EV2zZB5o3eX203H/6TC+qF1SsB1bw4AVRrd9:4WQouX9C81NBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjchgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiamhdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbknfed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjpgfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojnblg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nloiakho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgldfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfodbqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgiepjga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Himldi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpikkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccchof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajiknpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oondnini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edhakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnhghcki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knlleepl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmcolgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cabomkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjjahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhakoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpebpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpnlpnih.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Hboagf32.exe 2344 Hihicplj.exe 4196 Hmdedo32.exe 3964 Hpbaqj32.exe 796 Hcnnaikp.exe 4896 Hmfbjnbp.exe 2964 Hfofbd32.exe 3552 Hmioonpn.exe 3972 Hccglh32.exe 3352 Hjmoibog.exe 2292 Hcedaheh.exe 1732 Hjolnb32.exe 3688 Haidklda.exe 1116 Ibjqcd32.exe 2972 Iidipnal.exe 2956 Iakaql32.exe 624 Ibmmhdhm.exe 3616 Iiffen32.exe 4760 Ipqnahgf.exe 4404 Ibojncfj.exe 3808 Ipckgh32.exe 3768 Idofhfmm.exe 4344 Iikopmkd.exe 1948 Ipegmg32.exe 4784 Ibccic32.exe 5008 Jaedgjjd.exe 1264 Jfaloa32.exe 556 Jiphkm32.exe 1504 Jfdida32.exe 3012 Jmnaakne.exe 4384 Jdhine32.exe 4152 Jbkjjblm.exe 2492 Jaljgidl.exe 3576 Jpojcf32.exe 2868 Jfhbppbc.exe 436 Jmbklj32.exe 612 Jpaghf32.exe 4080 Jdmcidam.exe 3980 Jkfkfohj.exe 1036 Jiikak32.exe 2204 Kbapjafe.exe 2608 Kgmlkp32.exe 2068 Kilhgk32.exe 3596 Kacphh32.exe 1964 Kdaldd32.exe 1416 Kgphpo32.exe 1568 Kkkdan32.exe 1780 Kaemnhla.exe 3748 Kdcijcke.exe 3932 Kknafn32.exe 2372 Kagichjo.exe 2504 Kcifkp32.exe 1088 Kkpnlm32.exe 3272 Kajfig32.exe 2560 Kdhbec32.exe 3944 Kgfoan32.exe 4920 Lgikfn32.exe 4572 Lmccchkn.exe 3192 Lpappc32.exe 4656 Lgkhlnbn.exe 3684 Lnepih32.exe 1716 Lpcmec32.exe 1268 Lgneampk.exe 2064 Lnhmng32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe Cjbpaf32.exe File opened for modification C:\Windows\SysWOW64\Nmfcok32.exe Process not Found File created C:\Windows\SysWOW64\Ojmcld32.exe Ogogoi32.exe File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Ckclhn32.exe Process not Found File created C:\Windows\SysWOW64\Kdmpmdpj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Klgqcqkl.exe Kiidgeki.exe File created C:\Windows\SysWOW64\Dimini32.dll Kpbfii32.exe File created C:\Windows\SysWOW64\Ipjedh32.exe Ijqmhnko.exe File created C:\Windows\SysWOW64\Pickil32.dll Process not Found File created C:\Windows\SysWOW64\Mglack32.exe Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nqiogp32.exe File created C:\Windows\SysWOW64\Peljol32.exe Pnbbbabh.exe File created C:\Windows\SysWOW64\Qeemej32.exe Qbgqio32.exe File created C:\Windows\SysWOW64\Alkdnboj.exe Aaepqjpd.exe File created C:\Windows\SysWOW64\Ooagno32.exe Opogbbig.exe File created C:\Windows\SysWOW64\Olbdhn32.exe Oehlkc32.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Process not Found File created C:\Windows\SysWOW64\Ophpeg32.dll Kghjhemo.exe File opened for modification C:\Windows\SysWOW64\Cacckp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iiehpahb.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File opened for modification C:\Windows\SysWOW64\Eiloco32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edmjfifl.exe Emcbio32.exe File opened for modification C:\Windows\SysWOW64\Fagjfflb.exe Fipbdikp.exe File created C:\Windows\SysWOW64\Fielph32.exe Fhdohp32.exe File created C:\Windows\SysWOW64\Cfnqklgh.exe Codhnb32.exe File opened for modification C:\Windows\SysWOW64\Jilfifme.exe Process not Found File created C:\Windows\SysWOW64\Ippohl32.dll Jefbfgig.exe File created C:\Windows\SysWOW64\Memcpg32.dll Jfeopj32.exe File created C:\Windows\SysWOW64\Ifgldfio.exe Iomcgl32.exe File created C:\Windows\SysWOW64\Lfodbqfa.exe Lpekef32.exe File created C:\Windows\SysWOW64\Mfjcnold.exe Mpqkad32.exe File opened for modification C:\Windows\SysWOW64\Fjjnifbl.exe Fbcfhibj.exe File opened for modification C:\Windows\SysWOW64\Dhbebj32.exe Process not Found File created C:\Windows\SysWOW64\Hnfmbf32.dll Mdpalp32.exe File created C:\Windows\SysWOW64\Eegdfm32.dll Acocaf32.exe File created C:\Windows\SysWOW64\Hnfamjqg.exe Hkhdqoac.exe File created C:\Windows\SysWOW64\Hhcjel32.dll Oljaccjf.exe File created C:\Windows\SysWOW64\Khacqh32.dll Djqblj32.exe File created C:\Windows\SysWOW64\Kjbhgf32.dll Fbcfhibj.exe File created C:\Windows\SysWOW64\Ipckgh32.exe Ibojncfj.exe File created C:\Windows\SysWOW64\Joiccj32.exe Jecofa32.exe File created C:\Windows\SysWOW64\Flqdlnde.exe Fjohde32.exe File created C:\Windows\SysWOW64\Lhibca32.dll Onmhgb32.exe File opened for modification C:\Windows\SysWOW64\Fdlnbm32.exe Fbnafb32.exe File created C:\Windows\SysWOW64\Ngpccdlj.exe Npfkgjdn.exe File created C:\Windows\SysWOW64\Leoema32.dll Hdpbon32.exe File opened for modification C:\Windows\SysWOW64\Qobhkjdi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bldgdago.exe Bblckl32.exe File created C:\Windows\SysWOW64\Bmbplc32.exe Bnpppgdj.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Process not Found File created C:\Windows\SysWOW64\Kpnihq32.dll Aldomc32.exe File created C:\Windows\SysWOW64\Dkqaoe32.exe Process not Found File created C:\Windows\SysWOW64\Hdgpjm32.dll Haidklda.exe File created C:\Windows\SysWOW64\Pengdk32.exe Pbpjhp32.exe File opened for modification C:\Windows\SysWOW64\Eoekia32.exe Ehkclgmb.exe File created C:\Windows\SysWOW64\Ekojppef.dll Hnhghcki.exe File created C:\Windows\SysWOW64\Halpnqlq.dll Pdfjifjo.exe File created C:\Windows\SysWOW64\Dnqmalhn.dll Ckedalaj.exe File created C:\Windows\SysWOW64\Cdckomdh.dll Mekgdl32.exe File opened for modification C:\Windows\SysWOW64\Bqfoamfj.exe Biogppeg.exe File opened for modification C:\Windows\SysWOW64\Hehkajig.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgneampk.exe Lpcmec32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13956 13300 Process not Found 1448 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eajeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomdjhoo.dll" Nbadcpbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll" Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apignbdf.dll" Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aanbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Olcbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgngp32.dll" Joffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcnnaikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iiffen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" Daqbip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" Cndikf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpgodhkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amhfkopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmqiee.dll" Cobkhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjcbbmif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qffbbldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Accfbokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chmndlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kppici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkank32.dll" Ijhjcchb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejbbmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckhejil.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqhacgdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agdhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Ipjedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bihjfnmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkpbin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidjfdep.dll" Cbjoljdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiginoqd.dll" Aqmlknnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olojcl32.dll" Lghcocol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbinam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkgmcjld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 2332 4568 15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe 81 PID 4568 wrote to memory of 2332 4568 15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe 81 PID 4568 wrote to memory of 2332 4568 15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe 81 PID 2332 wrote to memory of 2344 2332 Hboagf32.exe 82 PID 2332 wrote to memory of 2344 2332 Hboagf32.exe 82 PID 2332 wrote to memory of 2344 2332 Hboagf32.exe 82 PID 2344 wrote to memory of 4196 2344 Hihicplj.exe 83 PID 2344 wrote to memory of 4196 2344 Hihicplj.exe 83 PID 2344 wrote to memory of 4196 2344 Hihicplj.exe 83 PID 4196 wrote to memory of 3964 4196 Hmdedo32.exe 84 PID 4196 wrote to memory of 3964 4196 Hmdedo32.exe 84 PID 4196 wrote to memory of 3964 4196 Hmdedo32.exe 84 PID 3964 wrote to memory of 796 3964 Hpbaqj32.exe 85 PID 3964 wrote to memory of 796 3964 Hpbaqj32.exe 85 PID 3964 wrote to memory of 796 3964 Hpbaqj32.exe 85 PID 796 wrote to memory of 4896 796 Hcnnaikp.exe 87 PID 796 wrote to memory of 4896 796 Hcnnaikp.exe 87 PID 796 wrote to memory of 4896 796 Hcnnaikp.exe 87 PID 4896 wrote to memory of 2964 4896 Hmfbjnbp.exe 89 PID 4896 wrote to memory of 2964 4896 Hmfbjnbp.exe 89 PID 4896 wrote to memory of 2964 4896 Hmfbjnbp.exe 89 PID 2964 wrote to memory of 3552 2964 Hfofbd32.exe 91 PID 2964 wrote to memory of 3552 2964 Hfofbd32.exe 91 PID 2964 wrote to memory of 3552 2964 Hfofbd32.exe 91 PID 3552 wrote to memory of 3972 3552 Hmioonpn.exe 92 PID 3552 wrote to memory of 3972 3552 Hmioonpn.exe 92 PID 3552 wrote to memory of 3972 3552 Hmioonpn.exe 92 PID 3972 wrote to memory of 3352 3972 Hccglh32.exe 93 PID 3972 wrote to memory of 3352 3972 Hccglh32.exe 93 PID 3972 wrote to memory of 3352 3972 Hccglh32.exe 93 PID 3352 wrote to memory of 2292 3352 Hjmoibog.exe 94 PID 3352 wrote to memory of 2292 3352 Hjmoibog.exe 94 PID 3352 wrote to memory of 2292 3352 Hjmoibog.exe 94 PID 2292 wrote to memory of 1732 2292 Hcedaheh.exe 95 PID 2292 wrote to memory of 1732 2292 Hcedaheh.exe 95 PID 2292 wrote to memory of 1732 2292 Hcedaheh.exe 95 PID 1732 wrote to memory of 3688 1732 Hjolnb32.exe 96 PID 1732 wrote to memory of 3688 1732 Hjolnb32.exe 96 PID 1732 wrote to memory of 3688 1732 Hjolnb32.exe 96 PID 3688 wrote to memory of 1116 3688 Haidklda.exe 97 PID 3688 wrote to memory of 1116 3688 Haidklda.exe 97 PID 3688 wrote to memory of 1116 3688 Haidklda.exe 97 PID 1116 wrote to memory of 2972 1116 Ibjqcd32.exe 98 PID 1116 wrote to memory of 2972 1116 Ibjqcd32.exe 98 PID 1116 wrote to memory of 2972 1116 Ibjqcd32.exe 98 PID 2972 wrote to memory of 2956 2972 Iidipnal.exe 99 PID 2972 wrote to memory of 2956 2972 Iidipnal.exe 99 PID 2972 wrote to memory of 2956 2972 Iidipnal.exe 99 PID 2956 wrote to memory of 624 2956 Iakaql32.exe 100 PID 2956 wrote to memory of 624 2956 Iakaql32.exe 100 PID 2956 wrote to memory of 624 2956 Iakaql32.exe 100 PID 624 wrote to memory of 3616 624 Ibmmhdhm.exe 101 PID 624 wrote to memory of 3616 624 Ibmmhdhm.exe 101 PID 624 wrote to memory of 3616 624 Ibmmhdhm.exe 101 PID 3616 wrote to memory of 4760 3616 Iiffen32.exe 102 PID 3616 wrote to memory of 4760 3616 Iiffen32.exe 102 PID 3616 wrote to memory of 4760 3616 Iiffen32.exe 102 PID 4760 wrote to memory of 4404 4760 Ipqnahgf.exe 103 PID 4760 wrote to memory of 4404 4760 Ipqnahgf.exe 103 PID 4760 wrote to memory of 4404 4760 Ipqnahgf.exe 103 PID 4404 wrote to memory of 3808 4404 Ibojncfj.exe 104 PID 4404 wrote to memory of 3808 4404 Ibojncfj.exe 104 PID 4404 wrote to memory of 3808 4404 Ibojncfj.exe 104 PID 3808 wrote to memory of 3768 3808 Ipckgh32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\15520a71c88add902f005b60ca74e1a0_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe23⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe24⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe25⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe26⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe27⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Jfaloa32.exeC:\Windows\system32\Jfaloa32.exe28⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe29⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe30⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe32⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe33⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe34⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe35⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe37⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe38⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe39⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe40⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe41⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe43⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe44⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe45⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe46⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe47⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe48⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe49⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe50⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe51⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe52⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe54⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe55⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe56⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe57⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe58⤵PID:1852
-
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe59⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe60⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe61⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe62⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe63⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe65⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe66⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe67⤵PID:1472
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe68⤵PID:5056
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe69⤵PID:1996
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe71⤵PID:4864
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe72⤵PID:940
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe73⤵PID:5016
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe74⤵PID:4416
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe75⤵PID:2400
-
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe76⤵PID:3724
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe77⤵PID:4808
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe78⤵PID:3756
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe79⤵PID:3204
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe80⤵PID:3660
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe81⤵PID:1124
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe82⤵PID:3152
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe83⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe84⤵PID:3328
-
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe85⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe86⤵PID:1192
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe87⤵
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe88⤵PID:4032
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe89⤵PID:3276
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe90⤵PID:4220
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe91⤵
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe92⤵PID:3076
-
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe93⤵PID:4700
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe94⤵PID:2872
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe95⤵PID:4224
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe96⤵PID:4084
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe97⤵PID:3820
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe98⤵PID:5124
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe99⤵PID:5172
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe100⤵PID:5216
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe101⤵PID:5260
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe102⤵PID:5300
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe103⤵PID:5344
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe105⤵PID:5440
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe106⤵PID:5480
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe107⤵PID:5524
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe108⤵PID:5568
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe109⤵PID:5616
-
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe110⤵PID:5652
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe111⤵PID:5700
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe112⤵PID:5744
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe113⤵PID:5792
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe114⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe116⤵PID:5920
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe117⤵PID:5964
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe118⤵PID:6012
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe119⤵PID:6056
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe120⤵PID:6100
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe121⤵PID:2824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-