Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/05/2024, 14:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe
-
Size
324KB
-
MD5
c98bb63ad58bedbec4f54e83e2a77d60
-
SHA1
c95a7f082d8758c0ec1cb8415faafb22dd46c0ca
-
SHA256
235220dc0a30ad1bc1d6b1e518e4b58c8620324552e6da798606e51b75df4b28
-
SHA512
df566dce5ad324f2682e7a08f6de48ce2ff476ce5fad70afb54c862d9a6da786645124f1e6c8199fd995eeeb00ddfc76d65135fcb1559037355fccd10fe65e28
-
SSDEEP
6144:seZ07YhTClljd3rKzwN8Jlljd3njPX9ZAk3f:zZjWjpKXjtjP9Zt
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkldqkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heocnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlpnih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlampmdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhkgoiqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihqoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkaag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaionfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjeanmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfngap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibnccmbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoogfnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmigoagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cecbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpcfdmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaehljpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojefobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cecbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjfhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mipcob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahhio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhigf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peimil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlfkmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibpiogmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcmebie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oponmilc.exe -
Executes dropped EXE 64 IoCs
pid Process 2544 Onmhgb32.exe 4364 Oqkdcn32.exe 1104 Pkaiqf32.exe 4392 Pbkamqmd.exe 2704 Peimil32.exe 1388 Peljol32.exe 4756 Pcagphom.exe 2820 Paegjl32.exe 3588 Pkjlge32.exe 2684 Pagdol32.exe 3248 Qbgqio32.exe 4504 Qloebdig.exe 3272 Acjjfggb.exe 420 Ajdbcano.exe 3452 Aldomc32.exe 1408 Aaqgek32.exe 852 Andgoobc.exe 2252 Angddopp.exe 3584 Ajneip32.exe 2804 Bhaebcen.exe 1208 Bhdbhcck.exe 2628 Bhfonc32.exe 1596 Bjghpn32.exe 3608 Bhkhibmc.exe 3708 Cbqlfkmi.exe 5104 Chmeobkq.exe 1532 Cafigg32.exe 3696 Cknnpm32.exe 2216 Cecbmf32.exe 3296 Clnjjpod.exe 4440 Cdiooblp.exe 5068 Camphf32.exe 1952 Ckedalaj.exe 3848 Docmgjhp.exe 1944 Doeiljfn.exe 2908 Dlijfneg.exe 1560 Dccbbhld.exe 1660 Dddojq32.exe 4140 Dkoggkjo.exe 880 Ddgkpp32.exe 1508 Echknh32.exe 3492 Ehedfo32.exe 2792 Ecjhcg32.exe 4864 Elbmlmml.exe 3392 Eekaebcm.exe 2992 Ehimanbq.exe 2080 Eabbjc32.exe 804 Edpnfo32.exe 4472 Eofbch32.exe 1432 Edbklofb.exe 3284 Fcckif32.exe 2500 Fdegandp.exe 2124 Fojlngce.exe 1700 Fdgdgnbm.exe 4912 Fkalchij.exe 1296 Fakdpb32.exe 3204 Fhemmlhc.exe 4384 Fckajehi.exe 4128 Fhgjblfq.exe 3200 Fkffog32.exe 4824 Fcmnpe32.exe 4280 Fhjfhl32.exe 1368 Gcojed32.exe 4752 Gfngap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Clkgcdmh.dll Gdbmhf32.exe File created C:\Windows\SysWOW64\Oikmnf32.dll Ffaong32.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Qlimed32.exe File created C:\Windows\SysWOW64\Pcpikkge.exe Phjenbhp.exe File created C:\Windows\SysWOW64\Mdeodj32.dll Lgjijmin.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Lncjlq32.exe File opened for modification C:\Windows\SysWOW64\Oqkdcn32.exe Onmhgb32.exe File created C:\Windows\SysWOW64\Gdkcckgg.dll Ncofplba.exe File created C:\Windows\SysWOW64\Gabmaqlh.dll Olfghg32.exe File created C:\Windows\SysWOW64\Qceiaa32.exe Qmkadgpo.exe File created C:\Windows\SysWOW64\Bciehh32.exe Bmomlnjk.exe File created C:\Windows\SysWOW64\Jheldb32.dll Mebcop32.exe File created C:\Windows\SysWOW64\Enbjad32.exe Ekdnei32.exe File opened for modification C:\Windows\SysWOW64\Fkcboack.exe Fhdfbfdh.exe File opened for modification C:\Windows\SysWOW64\Jgogbgei.exe Jnfcia32.exe File opened for modification C:\Windows\SysWOW64\Jphkkpbp.exe Jniood32.exe File created C:\Windows\SysWOW64\Bcoenmao.exe Bapiabak.exe File opened for modification C:\Windows\SysWOW64\Jejefqaf.exe Jkaqnk32.exe File opened for modification C:\Windows\SysWOW64\Ipoopgnf.exe Inqbclob.exe File created C:\Windows\SysWOW64\Amcmpodi.exe Afjeceml.exe File opened for modification C:\Windows\SysWOW64\Emmdom32.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Kbblcj32.dll Epmmqheb.exe File opened for modification C:\Windows\SysWOW64\Kjgeedch.exe Kgiiiidd.exe File opened for modification C:\Windows\SysWOW64\Npepkf32.exe Process not Found File created C:\Windows\SysWOW64\Ocbddc32.exe Olhlhjpd.exe File created C:\Windows\SysWOW64\Mhbmphjm.exe Mfaqhp32.exe File created C:\Windows\SysWOW64\Dbfbnkdn.dll Agdhbi32.exe File created C:\Windows\SysWOW64\Pofkjd32.dll Gpqjglii.exe File opened for modification C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Llodgnja.exe File created C:\Windows\SysWOW64\Cdbinofi.dll Jidklf32.exe File created C:\Windows\SysWOW64\Namdcd32.dll Kibgmdcn.exe File created C:\Windows\SysWOW64\Deokon32.exe Daconoae.exe File created C:\Windows\SysWOW64\Dfhjkabi.exe Dcjnoece.exe File opened for modification C:\Windows\SysWOW64\Gbdgfa32.exe Gkkojgao.exe File created C:\Windows\SysWOW64\Blnlefae.dll Coiaiakf.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Ehaaclak.dll Pmdkch32.exe File created C:\Windows\SysWOW64\Bfjkjgbh.dll Efepbi32.exe File created C:\Windows\SysWOW64\Lfjfecno.exe Lqmmmmph.exe File opened for modification C:\Windows\SysWOW64\Fakdpb32.exe Fkalchij.exe File opened for modification C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Ojgjndno.exe Oejbfmpg.exe File created C:\Windows\SysWOW64\Phganm32.exe Peieba32.exe File opened for modification C:\Windows\SysWOW64\Bjicdmmd.exe Abbkcpma.exe File created C:\Windows\SysWOW64\Cqhcce32.dll Cfcjfk32.exe File created C:\Windows\SysWOW64\Poigcbng.dll Ddjmba32.exe File created C:\Windows\SysWOW64\Nmipdk32.exe Process not Found File created C:\Windows\SysWOW64\Nagfjh32.dll Dhjckcgi.exe File opened for modification C:\Windows\SysWOW64\Injcmc32.exe Iklgah32.exe File created C:\Windows\SysWOW64\Mgjpndjd.dll Acjjfggb.exe File opened for modification C:\Windows\SysWOW64\Mckemg32.exe Mlampmdo.exe File created C:\Windows\SysWOW64\Comjoclk.dll Jlmfeg32.exe File created C:\Windows\SysWOW64\Ggmookkn.dll Nhnlkfpp.exe File created C:\Windows\SysWOW64\Cncijina.dll Omqmop32.exe File created C:\Windows\SysWOW64\Mfbhmo32.dll Bhkmec32.exe File created C:\Windows\SysWOW64\Donfhp32.dll Ocbddc32.exe File created C:\Windows\SysWOW64\Fdkggg32.exe Famjkl32.exe File created C:\Windows\SysWOW64\Knhcpa32.dll Okgaijaj.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Dlieda32.exe File opened for modification C:\Windows\SysWOW64\Iphioh32.exe Iinqbn32.exe File created C:\Windows\SysWOW64\Qmgelf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fmmmfj32.exe Fefedmil.exe File opened for modification C:\Windows\SysWOW64\Kfankifm.exe Kpgfooop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10132 9592 Process not Found 1200 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjagqbca.dll" Ibkpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhmomen.dll" Ifdonfka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhjkabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmhlgmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpeiqdc.dll" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdafnpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmjim32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oncofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihoif32.dll" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndjndbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgfooop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhaebcen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkoggkjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafkni32.dll" Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ploknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlijfneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obncjbkf.dll" Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpmhl32.dll" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkibak32.dll" Edpgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagfjh32.dll" Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll" Cknnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaqhj32.dll" Leadnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmdonkgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Mkhapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekbihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonnoglh.dll" Llodgnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nebdoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnlefae.dll" Coiaiakf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2544 1932 c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe 82 PID 1932 wrote to memory of 2544 1932 c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe 82 PID 1932 wrote to memory of 2544 1932 c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe 82 PID 2544 wrote to memory of 4364 2544 Onmhgb32.exe 83 PID 2544 wrote to memory of 4364 2544 Onmhgb32.exe 83 PID 2544 wrote to memory of 4364 2544 Onmhgb32.exe 83 PID 4364 wrote to memory of 1104 4364 Oqkdcn32.exe 84 PID 4364 wrote to memory of 1104 4364 Oqkdcn32.exe 84 PID 4364 wrote to memory of 1104 4364 Oqkdcn32.exe 84 PID 1104 wrote to memory of 4392 1104 Pkaiqf32.exe 85 PID 1104 wrote to memory of 4392 1104 Pkaiqf32.exe 85 PID 1104 wrote to memory of 4392 1104 Pkaiqf32.exe 85 PID 4392 wrote to memory of 2704 4392 Pbkamqmd.exe 86 PID 4392 wrote to memory of 2704 4392 Pbkamqmd.exe 86 PID 4392 wrote to memory of 2704 4392 Pbkamqmd.exe 86 PID 2704 wrote to memory of 1388 2704 Peimil32.exe 90 PID 2704 wrote to memory of 1388 2704 Peimil32.exe 90 PID 2704 wrote to memory of 1388 2704 Peimil32.exe 90 PID 1388 wrote to memory of 4756 1388 Peljol32.exe 91 PID 1388 wrote to memory of 4756 1388 Peljol32.exe 91 PID 1388 wrote to memory of 4756 1388 Peljol32.exe 91 PID 4756 wrote to memory of 2820 4756 Pcagphom.exe 92 PID 4756 wrote to memory of 2820 4756 Pcagphom.exe 92 PID 4756 wrote to memory of 2820 4756 Pcagphom.exe 92 PID 2820 wrote to memory of 3588 2820 Paegjl32.exe 93 PID 2820 wrote to memory of 3588 2820 Paegjl32.exe 93 PID 2820 wrote to memory of 3588 2820 Paegjl32.exe 93 PID 3588 wrote to memory of 2684 3588 Pkjlge32.exe 94 PID 3588 wrote to memory of 2684 3588 Pkjlge32.exe 94 PID 3588 wrote to memory of 2684 3588 Pkjlge32.exe 94 PID 2684 wrote to memory of 3248 2684 Pagdol32.exe 95 PID 2684 wrote to memory of 3248 2684 Pagdol32.exe 95 PID 2684 wrote to memory of 3248 2684 Pagdol32.exe 95 PID 3248 wrote to memory of 4504 3248 Qbgqio32.exe 96 PID 3248 wrote to memory of 4504 3248 Qbgqio32.exe 96 PID 3248 wrote to memory of 4504 3248 Qbgqio32.exe 96 PID 4504 wrote to memory of 3272 4504 Qloebdig.exe 97 PID 4504 wrote to memory of 3272 4504 Qloebdig.exe 97 PID 4504 wrote to memory of 3272 4504 Qloebdig.exe 97 PID 3272 wrote to memory of 420 3272 Acjjfggb.exe 98 PID 3272 wrote to memory of 420 3272 Acjjfggb.exe 98 PID 3272 wrote to memory of 420 3272 Acjjfggb.exe 98 PID 420 wrote to memory of 3452 420 Ajdbcano.exe 99 PID 420 wrote to memory of 3452 420 Ajdbcano.exe 99 PID 420 wrote to memory of 3452 420 Ajdbcano.exe 99 PID 3452 wrote to memory of 1408 3452 Aldomc32.exe 100 PID 3452 wrote to memory of 1408 3452 Aldomc32.exe 100 PID 3452 wrote to memory of 1408 3452 Aldomc32.exe 100 PID 1408 wrote to memory of 852 1408 Aaqgek32.exe 101 PID 1408 wrote to memory of 852 1408 Aaqgek32.exe 101 PID 1408 wrote to memory of 852 1408 Aaqgek32.exe 101 PID 852 wrote to memory of 2252 852 Andgoobc.exe 102 PID 852 wrote to memory of 2252 852 Andgoobc.exe 102 PID 852 wrote to memory of 2252 852 Andgoobc.exe 102 PID 2252 wrote to memory of 3584 2252 Angddopp.exe 103 PID 2252 wrote to memory of 3584 2252 Angddopp.exe 103 PID 2252 wrote to memory of 3584 2252 Angddopp.exe 103 PID 3584 wrote to memory of 2804 3584 Ajneip32.exe 104 PID 3584 wrote to memory of 2804 3584 Ajneip32.exe 104 PID 3584 wrote to memory of 2804 3584 Ajneip32.exe 104 PID 2804 wrote to memory of 1208 2804 Bhaebcen.exe 105 PID 2804 wrote to memory of 1208 2804 Bhaebcen.exe 105 PID 2804 wrote to memory of 1208 2804 Bhaebcen.exe 105 PID 1208 wrote to memory of 2628 1208 Bhdbhcck.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c98bb63ad58bedbec4f54e83e2a77d60_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe23⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe24⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe25⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe27⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe28⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe31⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe32⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe34⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe35⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe36⤵PID:4456
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe37⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe39⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe40⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4140 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe42⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe43⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe44⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe45⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe46⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe47⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe48⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe49⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe50⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe51⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe52⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe54⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe55⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe56⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe59⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe60⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe61⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe62⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe63⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe65⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe67⤵
- Drops file in System32 directory
PID:4044 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe68⤵PID:3872
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe69⤵PID:4600
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe70⤵PID:4452
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe71⤵PID:2476
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe72⤵PID:3008
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe73⤵PID:3692
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe74⤵PID:3996
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe75⤵PID:2380
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe76⤵PID:3976
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe77⤵PID:856
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe78⤵PID:732
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe79⤵PID:1612
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe80⤵PID:3948
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4144 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe82⤵PID:4148
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe83⤵PID:4352
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe84⤵PID:4800
-
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe85⤵PID:544
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe86⤵PID:3496
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe87⤵
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe88⤵PID:336
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe89⤵PID:936
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe90⤵PID:2900
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe91⤵PID:2960
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe92⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe93⤵
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Iejcji32.exeC:\Windows\system32\Iejcji32.exe94⤵PID:4832
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe95⤵PID:4740
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4312 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe97⤵PID:4556
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe98⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe99⤵PID:3440
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe100⤵PID:1548
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe101⤵PID:4624
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe102⤵PID:4680
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe103⤵PID:1880
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe104⤵PID:3196
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe105⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe106⤵PID:2020
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe107⤵PID:3884
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe108⤵PID:5024
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe109⤵PID:3384
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe110⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe111⤵PID:2272
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe112⤵PID:3604
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe113⤵PID:2732
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe114⤵PID:1828
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe115⤵PID:5168
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe116⤵PID:5212
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe117⤵PID:5256
-
C:\Windows\SysWOW64\Klimip32.exeC:\Windows\system32\Klimip32.exe118⤵PID:5300
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe119⤵PID:5340
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe120⤵PID:5388
-
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:5432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-