Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
83151abb2b441de71dfedd89ea3ad4c0
-
SHA1
a1c74e9a47fa5f85cd6584d23e46192472a55ed3
-
SHA256
ed950a6937c720e23953ee3ef15000aacc27099b8ab1276002564105a64adcb1
-
SHA512
a5fc77af9a1712ecdc8d62ed9444bd94608d05a40aeb4e3f1b36abea3ac1a25f185ebbd2f15e7ca3be59d1b2e9d8d76942dafcf5d4555cce03210dd2ce0110cd
-
SSDEEP
1536:UzZZwt4Lf+lhmwtsYeJYjEkqomNzjJPArS:UTwt3AlJz9P1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeekkafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkifn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mifcejnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feapkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffjcopi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikqqlgem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blhpqhlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkchelci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpieqeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plcdiabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfcmhpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojjqlpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadeieea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kimnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndokbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kppici32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeolc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomakdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmehb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgokmgjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfigpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjijgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhfppabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 4252 Ajkhdp32.exe 796 Aaepqjpd.exe 3892 Adcmmeog.exe 5060 Alkdnboj.exe 4680 Abemjmgg.exe 4548 Bahmfj32.exe 3696 Bhaebcen.exe 1672 Bnlnon32.exe 4624 Beeflhdh.exe 2964 Bhdbhcck.exe 2996 Bjbndobo.exe 2272 Balfaiil.exe 4492 Bdkcmdhp.exe 1508 Bjdkjo32.exe 3632 Bblckl32.exe 2340 Bhikcb32.exe 1144 Bobcpmfc.exe 1772 Baaplhef.exe 4560 Bdolhc32.exe 3300 Boepel32.exe 396 Cacmah32.exe 4032 Chmeobkq.exe 1936 Cbcilkjg.exe 2264 Ceaehfjj.exe 1304 Chpada32.exe 3512 Cojjqlpk.exe 2452 Cbefaj32.exe 3932 Cdfbibnb.exe 2780 Colffknh.exe 4880 Cefoce32.exe 4824 Clpgpp32.exe 1104 Conclk32.exe 4828 Camphf32.exe 1776 Cdkldb32.exe 3548 Clbceo32.exe 2240 Doqpak32.exe 3896 Daolnf32.exe 2764 Dhidjpqc.exe 3316 Dkgqfl32.exe 728 Docmgjhp.exe 4320 Demecd32.exe 2464 Dhkapp32.exe 2760 Dkjmlk32.exe 4108 Dadeieea.exe 1544 Ddbbeade.exe 4188 Dlijfneg.exe 1068 Dohfbj32.exe 1084 Dafbne32.exe 2592 Dddojq32.exe 4316 Dkoggkjo.exe 1676 Dojcgi32.exe 1860 Dahode32.exe 4340 Ddgkpp32.exe 2192 Ekacmjgl.exe 2224 Echknh32.exe 3992 Ekcpbj32.exe 872 Eeidoc32.exe 1076 Ehgqln32.exe 2808 Eoaihhlp.exe 2372 Eleiam32.exe 2336 Eemnjbaj.exe 3468 Elgfgl32.exe 1344 Eadopc32.exe 4140 Ehnglm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nqbpojnp.exe Process not Found File created C:\Windows\SysWOW64\Bhikcb32.exe Bblckl32.exe File opened for modification C:\Windows\SysWOW64\Bdolhc32.exe Baaplhef.exe File opened for modification C:\Windows\SysWOW64\Eoekia32.exe Egnchd32.exe File created C:\Windows\SysWOW64\Migmpjdh.dll Process not Found File created C:\Windows\SysWOW64\Jffggf32.dll Cnicfe32.exe File opened for modification C:\Windows\SysWOW64\Gkglja32.exe Gdncmghi.exe File opened for modification C:\Windows\SysWOW64\Ngdfdmdi.exe Nomncpcg.exe File created C:\Windows\SysWOW64\Qhlkilba.exe Pabblb32.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Ebhglj32.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ngpccdlj.exe File created C:\Windows\SysWOW64\Mkfdhbpg.dll Bhhdil32.exe File created C:\Windows\SysWOW64\Olojcl32.dll Lghcocol.exe File created C:\Windows\SysWOW64\Kllfakij.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qjlnnemp.exe Qcbfakec.exe File opened for modification C:\Windows\SysWOW64\Bidqko32.exe Bfedoc32.exe File created C:\Windows\SysWOW64\Egcjff32.dll Djhpgofm.exe File created C:\Windows\SysWOW64\Inainbcn.exe Iggaah32.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bokehc32.exe File created C:\Windows\SysWOW64\Fibbmq32.dll Ncfdie32.exe File opened for modification C:\Windows\SysWOW64\Klfjijgq.exe Kelalp32.exe File created C:\Windows\SysWOW64\Gjpnoh32.dll Nlihle32.exe File created C:\Windows\SysWOW64\Ofcmimpk.dll Fpbmfn32.exe File created C:\Windows\SysWOW64\Opcqnb32.exe Ohlimd32.exe File opened for modification C:\Windows\SysWOW64\Goglcahb.exe Process not Found File created C:\Windows\SysWOW64\Fcfhof32.exe Fkopnh32.exe File opened for modification C:\Windows\SysWOW64\Hkehkocf.exe Hdlpneli.exe File created C:\Windows\SysWOW64\Kejiqphj.dll Mlpeff32.exe File opened for modification C:\Windows\SysWOW64\Lgokmgjm.exe Ldanqkki.exe File created C:\Windows\SysWOW64\Mbighjdd.exe Mlpokp32.exe File created C:\Windows\SysWOW64\Adfdmepn.dll Pleaoa32.exe File created C:\Windows\SysWOW64\Gkiaej32.exe Gdoihpbk.exe File created C:\Windows\SysWOW64\Gdcliikj.exe Glldgljg.exe File created C:\Windows\SysWOW64\Hbjoeojc.exe Process not Found File created C:\Windows\SysWOW64\Jehokgge.exe Jbjcolha.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cdhhdlid.exe File created C:\Windows\SysWOW64\Jieagojp.exe Jfgdkd32.exe File created C:\Windows\SysWOW64\Hkjjlhle.exe Hdpbon32.exe File created C:\Windows\SysWOW64\Pjjhbl32.exe Pcppfaka.exe File opened for modification C:\Windows\SysWOW64\Ajqgidij.exe Qqhcpo32.exe File created C:\Windows\SysWOW64\Nekiiopm.dll Cmipblaq.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Process not Found File created C:\Windows\SysWOW64\Jnifpf32.dll Process not Found File created C:\Windows\SysWOW64\Pfoann32.exe Process not Found File created C:\Windows\SysWOW64\Cpkgohbq.dll Process not Found File created C:\Windows\SysWOW64\Mlkepaam.exe Milidebi.exe File opened for modification C:\Windows\SysWOW64\Nknobkje.exe Nhpbfpka.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Process not Found File opened for modification C:\Windows\SysWOW64\Phaahggp.exe Pmlmkn32.exe File opened for modification C:\Windows\SysWOW64\Bohbhmfm.exe Bklfgo32.exe File opened for modification C:\Windows\SysWOW64\Bnmoijje.exe Bllbaa32.exe File created C:\Windows\SysWOW64\Pnjbcghk.dll Process not Found File created C:\Windows\SysWOW64\Ceacpg32.dll Ikpaldog.exe File created C:\Windows\SysWOW64\Knippe32.exe Klkcdj32.exe File created C:\Windows\SysWOW64\Dobhii32.dll Opcqnb32.exe File created C:\Windows\SysWOW64\Qfkqjmdg.exe Process not Found File created C:\Windows\SysWOW64\Aaoaic32.exe Process not Found File created C:\Windows\SysWOW64\Iejpiq32.dll Ajhniccb.exe File created C:\Windows\SysWOW64\Jkiocibf.dll Lmpkadnm.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Ponfka32.exe File opened for modification C:\Windows\SysWOW64\Qqffjo32.exe Qjlnnemp.exe File created C:\Windows\SysWOW64\Amodep32.exe Ajqgidij.exe File opened for modification C:\Windows\SysWOW64\Hjchaf32.exe Hhbkinel.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cmgjgcgo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11404 12100 Process not Found 1372 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cimcan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djdmffnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Lmbhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcneih32.dll" Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcdofmo.dll" Ikokan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqokaeco.dll" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mibijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipckmjqi.dll" Djelgied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdjibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Ikbnacmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moobbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbp32.dll" Poomegpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmfkk32.dll" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gadqlkep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihqoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojpmg32.dll" Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmmgg32.dll" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnhjlpl.dll" Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgjllic.dll" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkadfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqmjog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" Bgcknmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpcchkn.dll" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohkkhhmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnddgjbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfhnaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nknobkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjkqlam.dll" Olgncmim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbeio32.dll" Fdfmlhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jencdebl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcfhof32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 4252 1488 83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe 82 PID 1488 wrote to memory of 4252 1488 83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe 82 PID 1488 wrote to memory of 4252 1488 83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe 82 PID 4252 wrote to memory of 796 4252 Ajkhdp32.exe 83 PID 4252 wrote to memory of 796 4252 Ajkhdp32.exe 83 PID 4252 wrote to memory of 796 4252 Ajkhdp32.exe 83 PID 796 wrote to memory of 3892 796 Aaepqjpd.exe 84 PID 796 wrote to memory of 3892 796 Aaepqjpd.exe 84 PID 796 wrote to memory of 3892 796 Aaepqjpd.exe 84 PID 3892 wrote to memory of 5060 3892 Adcmmeog.exe 85 PID 3892 wrote to memory of 5060 3892 Adcmmeog.exe 85 PID 3892 wrote to memory of 5060 3892 Adcmmeog.exe 85 PID 5060 wrote to memory of 4680 5060 Alkdnboj.exe 86 PID 5060 wrote to memory of 4680 5060 Alkdnboj.exe 86 PID 5060 wrote to memory of 4680 5060 Alkdnboj.exe 86 PID 4680 wrote to memory of 4548 4680 Abemjmgg.exe 87 PID 4680 wrote to memory of 4548 4680 Abemjmgg.exe 87 PID 4680 wrote to memory of 4548 4680 Abemjmgg.exe 87 PID 4548 wrote to memory of 3696 4548 Bahmfj32.exe 88 PID 4548 wrote to memory of 3696 4548 Bahmfj32.exe 88 PID 4548 wrote to memory of 3696 4548 Bahmfj32.exe 88 PID 3696 wrote to memory of 1672 3696 Bhaebcen.exe 89 PID 3696 wrote to memory of 1672 3696 Bhaebcen.exe 89 PID 3696 wrote to memory of 1672 3696 Bhaebcen.exe 89 PID 1672 wrote to memory of 4624 1672 Bnlnon32.exe 90 PID 1672 wrote to memory of 4624 1672 Bnlnon32.exe 90 PID 1672 wrote to memory of 4624 1672 Bnlnon32.exe 90 PID 4624 wrote to memory of 2964 4624 Beeflhdh.exe 91 PID 4624 wrote to memory of 2964 4624 Beeflhdh.exe 91 PID 4624 wrote to memory of 2964 4624 Beeflhdh.exe 91 PID 2964 wrote to memory of 2996 2964 Bhdbhcck.exe 93 PID 2964 wrote to memory of 2996 2964 Bhdbhcck.exe 93 PID 2964 wrote to memory of 2996 2964 Bhdbhcck.exe 93 PID 2996 wrote to memory of 2272 2996 Bjbndobo.exe 94 PID 2996 wrote to memory of 2272 2996 Bjbndobo.exe 94 PID 2996 wrote to memory of 2272 2996 Bjbndobo.exe 94 PID 2272 wrote to memory of 4492 2272 Balfaiil.exe 95 PID 2272 wrote to memory of 4492 2272 Balfaiil.exe 95 PID 2272 wrote to memory of 4492 2272 Balfaiil.exe 95 PID 4492 wrote to memory of 1508 4492 Bdkcmdhp.exe 96 PID 4492 wrote to memory of 1508 4492 Bdkcmdhp.exe 96 PID 4492 wrote to memory of 1508 4492 Bdkcmdhp.exe 96 PID 1508 wrote to memory of 3632 1508 Bjdkjo32.exe 97 PID 1508 wrote to memory of 3632 1508 Bjdkjo32.exe 97 PID 1508 wrote to memory of 3632 1508 Bjdkjo32.exe 97 PID 3632 wrote to memory of 2340 3632 Bblckl32.exe 99 PID 3632 wrote to memory of 2340 3632 Bblckl32.exe 99 PID 3632 wrote to memory of 2340 3632 Bblckl32.exe 99 PID 2340 wrote to memory of 1144 2340 Bhikcb32.exe 100 PID 2340 wrote to memory of 1144 2340 Bhikcb32.exe 100 PID 2340 wrote to memory of 1144 2340 Bhikcb32.exe 100 PID 1144 wrote to memory of 1772 1144 Bobcpmfc.exe 101 PID 1144 wrote to memory of 1772 1144 Bobcpmfc.exe 101 PID 1144 wrote to memory of 1772 1144 Bobcpmfc.exe 101 PID 1772 wrote to memory of 4560 1772 Baaplhef.exe 102 PID 1772 wrote to memory of 4560 1772 Baaplhef.exe 102 PID 1772 wrote to memory of 4560 1772 Baaplhef.exe 102 PID 4560 wrote to memory of 3300 4560 Bdolhc32.exe 103 PID 4560 wrote to memory of 3300 4560 Bdolhc32.exe 103 PID 4560 wrote to memory of 3300 4560 Bdolhc32.exe 103 PID 3300 wrote to memory of 396 3300 Boepel32.exe 104 PID 3300 wrote to memory of 396 3300 Boepel32.exe 104 PID 3300 wrote to memory of 396 3300 Boepel32.exe 104 PID 396 wrote to memory of 4032 396 Cacmah32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\83151abb2b441de71dfedd89ea3ad4c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe23⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe24⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe25⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe26⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe28⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe29⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe30⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe31⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe32⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe33⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe34⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe35⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe36⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe37⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe38⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe39⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe40⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe41⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe42⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe43⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe44⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe47⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe48⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe49⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe50⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe51⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe52⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe54⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe55⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe56⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe57⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe58⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe60⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe61⤵PID:4464
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe62⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe63⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe64⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe65⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe66⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe67⤵PID:4972
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe68⤵PID:1340
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe69⤵PID:4072
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe70⤵PID:2640
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe72⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3832 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe75⤵PID:2840
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe76⤵PID:3684
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe77⤵PID:4440
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe78⤵PID:3396
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe79⤵PID:1088
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe80⤵PID:1628
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe81⤵PID:1648
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe82⤵PID:1928
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe83⤵PID:2120
-
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe84⤵PID:3064
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe85⤵
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe86⤵PID:4896
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe87⤵PID:448
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe88⤵PID:1940
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe89⤵PID:716
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe90⤵PID:5044
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe91⤵PID:976
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe92⤵PID:4436
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe93⤵PID:3076
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe94⤵PID:4996
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe96⤵PID:5152
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe97⤵PID:5196
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe98⤵PID:5248
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe99⤵PID:5292
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe100⤵PID:5332
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe101⤵PID:5380
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe102⤵PID:5424
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe103⤵PID:5468
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe104⤵PID:5516
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe105⤵PID:5564
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe106⤵PID:5608
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe107⤵PID:5644
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe108⤵PID:5696
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe109⤵PID:5740
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe110⤵PID:5788
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe111⤵PID:5828
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe112⤵PID:5876
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe113⤵PID:5920
-
C:\Windows\SysWOW64\Hioiji32.exeC:\Windows\system32\Hioiji32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe115⤵PID:6004
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe116⤵PID:6048
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe117⤵PID:6092
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe118⤵PID:6128
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe119⤵PID:5180
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe120⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe121⤵
- Modifies registry class
PID:5312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-