Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 13:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe
-
Size
78KB
-
MD5
486336b176f29adb1d8d1a8b3559f060
-
SHA1
bb35ec34de47e8eb2f2665b1e0ce518cb28dc48c
-
SHA256
eb7303d9101a3a884c7a74b28d3c1bd120cb24f25253c50c08e1c640690e7ecd
-
SHA512
4a90dfc6ac3ca53b70a2b05bef2e0659a5b13dc61aebbd651dbf39eb5b75889ca39c48f4ef756f0b9f03eeb8a8853f6f2f082101077f9e54b990fb4fc2c8f89c
-
SSDEEP
1536:yM8vPRgTZT1chjpl3Fw5iVh7N+zL20gJi1ie:lgJgTZEFw5iVdgzL20WKt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolaqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glcelq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickcaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbddpclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aapeakij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfabok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mniafbfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmnomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbdcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnikhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejjmage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgkakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqebg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneaelqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdlfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmmfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbkblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfgjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhmkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihkjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolhlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdfpbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijadljdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poqckdap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfcpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekleind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdjbcnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefencoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmoncl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpglmjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgiof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibagmiie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmefafql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baegchgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oojalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnnmmbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccjfaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homadjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgcjmjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldccjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhklgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaldngqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanodnip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imonol32.exe -
Executes dropped EXE 64 IoCs
pid Process 3376 Bbaclegm.exe 3532 Cgklmacf.exe 4812 Cdaile32.exe 2940 Ddfbgelh.exe 404 Dpopbepi.exe 4516 Ecbeip32.exe 772 Fqphic32.exe 1436 Fkgillpj.exe 3980 Fcekfnkb.exe 1992 Gkalbj32.exe 2084 Gjhfif32.exe 4020 Hccggl32.exe 2480 Hgeihiac.exe 3820 Indkpcdk.exe 5012 Jnnnfalp.exe 4908 Jdmcdhhe.exe 1088 Jelonkph.exe 1100 Keceoj32.exe 2232 Kongmo32.exe 972 Lkiamp32.exe 3544 Mkgmoncl.exe 4320 Mojopk32.exe 4400 Nkeipk32.exe 3604 Nlgbon32.exe 4492 Okfbgiij.exe 3972 Pcbdcf32.exe 4912 Pfeijqqe.exe 4204 Apddce32.exe 4024 Acdioc32.exe 1240 Bmddihfj.exe 1036 Bfoegm32.exe 1124 Cplckbmc.exe 4224 Ciiaogon.exe 4968 Ciknefmk.exe 1828 Dmifkecb.exe 3356 Dedkogqm.exe 996 Defheg32.exe 4428 Dgfdojfm.exe 4648 Eennefib.exe 3484 Edoncm32.exe 2288 Eincadmf.exe 880 Fpmeimpn.exe 4792 Fcpkph32.exe 4536 Fjlpbb32.exe 4948 Gddqejni.exe 3880 Gqkajk32.exe 3832 Gjhonp32.exe 1304 Hqddqj32.exe 4288 Hcembe32.exe 1468 Hjabdo32.exe 3976 Iggocbke.exe 3548 Infqklol.exe 4348 Iebfmfdg.exe 4796 Ifcben32.exe 3508 Jgcooaah.exe 2580 Jjdgal32.exe 2928 Keghocao.exe 2768 Kejeebpl.exe 2096 Ldoafodd.exe 1408 Lokldg32.exe 4680 Mklpof32.exe 4748 Nnabladg.exe 3308 Ngifef32.exe 4360 Nhicoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Omdpio32.exe Oanodnip.exe File created C:\Windows\SysWOW64\Mkcjdfne.dll Ndpafe32.exe File created C:\Windows\SysWOW64\Kbpjgmbe.dll Engjol32.exe File created C:\Windows\SysWOW64\Bbjlnk32.dll Llhnpe32.exe File opened for modification C:\Windows\SysWOW64\Npjelo32.exe Nnlhod32.exe File opened for modification C:\Windows\SysWOW64\Jjlmmbfo.exe Jlhlcnge.exe File opened for modification C:\Windows\SysWOW64\Oiagcg32.exe Olmficce.exe File created C:\Windows\SysWOW64\Pgdqpp32.dll Cdaigi32.exe File opened for modification C:\Windows\SysWOW64\Meknhh32.exe Mmnlnfcb.exe File opened for modification C:\Windows\SysWOW64\Nojagf32.exe Nccqbeec.exe File created C:\Windows\SysWOW64\Pcmloa32.exe Phhhbi32.exe File created C:\Windows\SysWOW64\Bogcqpdd.exe Bqafpc32.exe File created C:\Windows\SysWOW64\Cfgjcb32.exe Bcfabgel.exe File opened for modification C:\Windows\SysWOW64\Hcembe32.exe Hqddqj32.exe File created C:\Windows\SysWOW64\Iebfmfdg.exe Infqklol.exe File created C:\Windows\SysWOW64\Fkgeam32.dll Phkaqqoi.exe File opened for modification C:\Windows\SysWOW64\Ihknibbo.exe Hjhaeklb.exe File created C:\Windows\SysWOW64\Clffalkf.exe Cnbfgh32.exe File opened for modification C:\Windows\SysWOW64\Elagjihh.exe Efgono32.exe File created C:\Windows\SysWOW64\Phhhbi32.exe Pgfljqia.exe File opened for modification C:\Windows\SysWOW64\Ddjmkg32.exe Dojgnpke.exe File created C:\Windows\SysWOW64\Hogmmb32.dll Dqkmkb32.exe File created C:\Windows\SysWOW64\Qomhogfn.dll Fdiafc32.exe File created C:\Windows\SysWOW64\Oobknhji.dll Poodicio.exe File created C:\Windows\SysWOW64\Bimhihen.dll Bhldio32.exe File created C:\Windows\SysWOW64\Dpekndfg.dll Knbiil32.exe File opened for modification C:\Windows\SysWOW64\Kbbhjc32.exe Kjkpif32.exe File created C:\Windows\SysWOW64\Ijbkqe32.dll Qldccjno.exe File opened for modification C:\Windows\SysWOW64\Chblebll.exe Coigllel.exe File opened for modification C:\Windows\SysWOW64\Cdaile32.exe Cgklmacf.exe File created C:\Windows\SysWOW64\Imaqfd32.dll Ehjdejkj.exe File opened for modification C:\Windows\SysWOW64\Bepeph32.exe Bcqife32.exe File opened for modification C:\Windows\SysWOW64\Imonol32.exe Ibijbc32.exe File created C:\Windows\SysWOW64\Ckcaap32.dll Pgaboa32.exe File opened for modification C:\Windows\SysWOW64\Gmcdolbn.exe Fpeapilo.exe File created C:\Windows\SysWOW64\Gneaelqk.exe Gmcdolbn.exe File created C:\Windows\SysWOW64\Akipdg32.exe Qdphgmlj.exe File created C:\Windows\SysWOW64\Nnabladg.exe Mklpof32.exe File opened for modification C:\Windows\SysWOW64\Bfpkbfdi.exe Beaohcmf.exe File opened for modification C:\Windows\SysWOW64\Helfbqeb.exe Hbnjfefo.exe File created C:\Windows\SysWOW64\Jmppbgkk.dll Abimhd32.exe File opened for modification C:\Windows\SysWOW64\Mnhkklbb.exe Madjbg32.exe File created C:\Windows\SysWOW64\Qchgccaf.dll Knmkak32.exe File opened for modification C:\Windows\SysWOW64\Jdajabdc.exe Ikifhm32.exe File opened for modification C:\Windows\SysWOW64\Aihfjd32.exe Aocamk32.exe File opened for modification C:\Windows\SysWOW64\Jpalomaq.exe Jdhndlno.exe File created C:\Windows\SysWOW64\Oklegcdn.dll Chblebll.exe File created C:\Windows\SysWOW64\Kmicbcff.dll Hcfqoici.exe File opened for modification C:\Windows\SysWOW64\Okjnhpee.exe Oocmcn32.exe File opened for modification C:\Windows\SysWOW64\Giinjg32.exe Gdleap32.exe File opened for modification C:\Windows\SysWOW64\Lppbdmig.exe Lifjgb32.exe File created C:\Windows\SysWOW64\Kbnpmdbe.dll Cmdfpbkc.exe File opened for modification C:\Windows\SysWOW64\Dmooak32.exe Dpknhfoq.exe File created C:\Windows\SysWOW64\Mflidl32.exe Mmdekf32.exe File created C:\Windows\SysWOW64\Pdfjcl32.exe Pnlafaio.exe File created C:\Windows\SysWOW64\Elbffmlj.dll Pmfhbm32.exe File opened for modification C:\Windows\SysWOW64\Dqkmkb32.exe Dddlfa32.exe File created C:\Windows\SysWOW64\Ibagmiie.exe Iapjeq32.exe File created C:\Windows\SysWOW64\Aihaifam.exe Aggean32.exe File opened for modification C:\Windows\SysWOW64\Ljfodd32.exe Liecmlno.exe File created C:\Windows\SysWOW64\Bibokqno.dll Jdmcdhhe.exe File created C:\Windows\SysWOW64\Kaonnmka.dll Fpmeimpn.exe File created C:\Windows\SysWOW64\Enlbbj32.dll Dhjcdimf.exe File created C:\Windows\SysWOW64\Boabkj32.exe Abmbaf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5212 4360 WerFault.exe 869 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npjelo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfnbnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgepflm.dll" Hkdbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikpan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffggdmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjkpje.dll" Elpknehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeodapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfmnkmn.dll" Clgbfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfaenfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jieiif32.dll" Nfabok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momhii32.dll" Dmmifaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iildfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdphgmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihmfcil.dll" Oanodnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbmkil.dll" Hjabdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baohmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adanbffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clfofd32.dll" Fifdqhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciknefmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll" Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bckdggcn.dll" Cmhial32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdefi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpcijlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccigg32.dll" Pfoamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qolbgbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkaijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjggaooi.dll" Jfnbnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmomihj.dll" Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqfcf32.dll" Efafqolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdmcdhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdcaahbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkmmelm.dll" Onifpodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djkdnool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chagiqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjapden.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgdhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dffmogji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmcdolbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npighq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmhkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idoknmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negfik32.dll" Oibbjoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpqdifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcniamb.dll" Hmhhnmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajoknk32.dll" Aomipkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpqdifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgleegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdefi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Engjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoaoie.dll" Qjjhla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifodifq.dll" Jjfngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boflfiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apehmkbq.dll" Jqhaolli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kejeebpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmnijkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejeebpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcjnikhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqjlg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 3376 3696 486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe 92 PID 3696 wrote to memory of 3376 3696 486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe 92 PID 3696 wrote to memory of 3376 3696 486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe 92 PID 3376 wrote to memory of 3532 3376 Bbaclegm.exe 93 PID 3376 wrote to memory of 3532 3376 Bbaclegm.exe 93 PID 3376 wrote to memory of 3532 3376 Bbaclegm.exe 93 PID 3532 wrote to memory of 4812 3532 Cgklmacf.exe 94 PID 3532 wrote to memory of 4812 3532 Cgklmacf.exe 94 PID 3532 wrote to memory of 4812 3532 Cgklmacf.exe 94 PID 4812 wrote to memory of 2940 4812 Cdaile32.exe 95 PID 4812 wrote to memory of 2940 4812 Cdaile32.exe 95 PID 4812 wrote to memory of 2940 4812 Cdaile32.exe 95 PID 2940 wrote to memory of 404 2940 Ddfbgelh.exe 96 PID 2940 wrote to memory of 404 2940 Ddfbgelh.exe 96 PID 2940 wrote to memory of 404 2940 Ddfbgelh.exe 96 PID 404 wrote to memory of 4516 404 Dpopbepi.exe 97 PID 404 wrote to memory of 4516 404 Dpopbepi.exe 97 PID 404 wrote to memory of 4516 404 Dpopbepi.exe 97 PID 4516 wrote to memory of 772 4516 Ecbeip32.exe 98 PID 4516 wrote to memory of 772 4516 Ecbeip32.exe 98 PID 4516 wrote to memory of 772 4516 Ecbeip32.exe 98 PID 772 wrote to memory of 1436 772 Fqphic32.exe 99 PID 772 wrote to memory of 1436 772 Fqphic32.exe 99 PID 772 wrote to memory of 1436 772 Fqphic32.exe 99 PID 1436 wrote to memory of 3980 1436 Fkgillpj.exe 100 PID 1436 wrote to memory of 3980 1436 Fkgillpj.exe 100 PID 1436 wrote to memory of 3980 1436 Fkgillpj.exe 100 PID 3980 wrote to memory of 1992 3980 Fcekfnkb.exe 101 PID 3980 wrote to memory of 1992 3980 Fcekfnkb.exe 101 PID 3980 wrote to memory of 1992 3980 Fcekfnkb.exe 101 PID 1992 wrote to memory of 2084 1992 Gkalbj32.exe 102 PID 1992 wrote to memory of 2084 1992 Gkalbj32.exe 102 PID 1992 wrote to memory of 2084 1992 Gkalbj32.exe 102 PID 2084 wrote to memory of 4020 2084 Gjhfif32.exe 103 PID 2084 wrote to memory of 4020 2084 Gjhfif32.exe 103 PID 2084 wrote to memory of 4020 2084 Gjhfif32.exe 103 PID 4020 wrote to memory of 2480 4020 Hccggl32.exe 104 PID 4020 wrote to memory of 2480 4020 Hccggl32.exe 104 PID 4020 wrote to memory of 2480 4020 Hccggl32.exe 104 PID 2480 wrote to memory of 3820 2480 Hgeihiac.exe 105 PID 2480 wrote to memory of 3820 2480 Hgeihiac.exe 105 PID 2480 wrote to memory of 3820 2480 Hgeihiac.exe 105 PID 3820 wrote to memory of 5012 3820 Indkpcdk.exe 106 PID 3820 wrote to memory of 5012 3820 Indkpcdk.exe 106 PID 3820 wrote to memory of 5012 3820 Indkpcdk.exe 106 PID 5012 wrote to memory of 4908 5012 Jnnnfalp.exe 107 PID 5012 wrote to memory of 4908 5012 Jnnnfalp.exe 107 PID 5012 wrote to memory of 4908 5012 Jnnnfalp.exe 107 PID 4908 wrote to memory of 1088 4908 Jdmcdhhe.exe 108 PID 4908 wrote to memory of 1088 4908 Jdmcdhhe.exe 108 PID 4908 wrote to memory of 1088 4908 Jdmcdhhe.exe 108 PID 1088 wrote to memory of 1100 1088 Jelonkph.exe 109 PID 1088 wrote to memory of 1100 1088 Jelonkph.exe 109 PID 1088 wrote to memory of 1100 1088 Jelonkph.exe 109 PID 1100 wrote to memory of 2232 1100 Keceoj32.exe 110 PID 1100 wrote to memory of 2232 1100 Keceoj32.exe 110 PID 1100 wrote to memory of 2232 1100 Keceoj32.exe 110 PID 2232 wrote to memory of 972 2232 Kongmo32.exe 111 PID 2232 wrote to memory of 972 2232 Kongmo32.exe 111 PID 2232 wrote to memory of 972 2232 Kongmo32.exe 111 PID 972 wrote to memory of 3544 972 Lkiamp32.exe 112 PID 972 wrote to memory of 3544 972 Lkiamp32.exe 112 PID 972 wrote to memory of 3544 972 Lkiamp32.exe 112 PID 3544 wrote to memory of 4320 3544 Mkgmoncl.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\486336b176f29adb1d8d1a8b3559f060_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Bbaclegm.exeC:\Windows\system32\Bbaclegm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dpopbepi.exeC:\Windows\system32\Dpopbepi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Indkpcdk.exeC:\Windows\system32\Indkpcdk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Mkgmoncl.exeC:\Windows\system32\Mkgmoncl.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe23⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe24⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe25⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe26⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe28⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe29⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe30⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe31⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe32⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe33⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe34⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4968 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe36⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe37⤵
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe38⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe39⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe40⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe41⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe42⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe44⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe45⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe46⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe47⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe48⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe50⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe52⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe54⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe55⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe56⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe57⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe61⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Mklpof32.exeC:\Windows\system32\Mklpof32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe63⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe64⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe65⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe66⤵PID:4600
-
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe68⤵PID:1884
-
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe69⤵PID:3400
-
C:\Windows\SysWOW64\Akjnnpcf.exeC:\Windows\system32\Akjnnpcf.exe70⤵PID:4924
-
C:\Windows\SysWOW64\Bichcc32.exeC:\Windows\system32\Bichcc32.exe71⤵PID:2348
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe72⤵PID:3624
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe73⤵
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Bfpkbfdi.exeC:\Windows\system32\Bfpkbfdi.exe74⤵PID:5140
-
C:\Windows\SysWOW64\Chfaenfb.exeC:\Windows\system32\Chfaenfb.exe75⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe76⤵PID:5228
-
C:\Windows\SysWOW64\Cnbfgh32.exeC:\Windows\system32\Cnbfgh32.exe77⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe78⤵PID:5320
-
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe79⤵PID:5364
-
C:\Windows\SysWOW64\Dpglmjoj.exeC:\Windows\system32\Dpglmjoj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe81⤵PID:5452
-
C:\Windows\SysWOW64\Eifffoob.exeC:\Windows\system32\Eifffoob.exe82⤵PID:5496
-
C:\Windows\SysWOW64\Eikpan32.exeC:\Windows\system32\Eikpan32.exe83⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Epgdch32.exeC:\Windows\system32\Epgdch32.exe84⤵PID:5584
-
C:\Windows\SysWOW64\Eedmlo32.exeC:\Windows\system32\Eedmlo32.exe85⤵PID:5640
-
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe86⤵PID:5696
-
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe87⤵PID:5768
-
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe88⤵PID:5816
-
C:\Windows\SysWOW64\Lmkipncc.exeC:\Windows\system32\Lmkipncc.exe89⤵PID:5872
-
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe90⤵PID:5916
-
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe91⤵PID:5968
-
C:\Windows\SysWOW64\Omjnhiiq.exeC:\Windows\system32\Omjnhiiq.exe92⤵PID:6012
-
C:\Windows\SysWOW64\Odcfdc32.exeC:\Windows\system32\Odcfdc32.exe93⤵PID:6064
-
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe94⤵PID:6112
-
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe95⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe96⤵PID:5200
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe98⤵PID:4200
-
C:\Windows\SysWOW64\Bgodjiio.exeC:\Windows\system32\Bgodjiio.exe99⤵PID:5400
-
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe100⤵PID:4564
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe101⤵PID:5516
-
C:\Windows\SysWOW64\Cgejkh32.exeC:\Windows\system32\Cgejkh32.exe102⤵PID:5564
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe103⤵PID:2228
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe104⤵PID:3896
-
C:\Windows\SysWOW64\Ikmpcicg.exeC:\Windows\system32\Ikmpcicg.exe105⤵PID:5736
-
C:\Windows\SysWOW64\Jjpmfpid.exeC:\Windows\system32\Jjpmfpid.exe106⤵PID:5800
-
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe107⤵PID:5948
-
C:\Windows\SysWOW64\Kokbpe32.exeC:\Windows\system32\Kokbpe32.exe108⤵PID:6048
-
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe110⤵PID:3864
-
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe111⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe112⤵PID:5360
-
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe113⤵PID:5440
-
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Npighq32.exeC:\Windows\system32\Npighq32.exe115⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Nifele32.exeC:\Windows\system32\Nifele32.exe116⤵PID:2784
-
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe117⤵PID:3348
-
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe118⤵PID:4056
-
C:\Windows\SysWOW64\Acmomgoa.exeC:\Windows\system32\Acmomgoa.exe119⤵PID:4088
-
C:\Windows\SysWOW64\Bloflk32.exeC:\Windows\system32\Bloflk32.exe120⤵PID:4424
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe121⤵PID:4092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-