Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe
-
Size
203KB
-
MD5
d414f75e784f1c2b33bef32fc9d087d0
-
SHA1
8fab640e1b0d220513c73d16a16c27f372c3b439
-
SHA256
b56ca0654403033dc49c377234d0e3db566b33eddfccc766e65f415c592918c5
-
SHA512
79c4941ac2a7dc4456e211e0ef769fe719fb4fdda14c15143064732ed6cdda7edf5526bb96e0a995f0714caa8bc605f0154f44160232decd8267cdc1a46128d0
-
SSDEEP
6144:Vil4eNJaDftnJfKXqPTX7D7FM6234lKm3mo8YG:gljNUrtJCXqP77D7FB24lwT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojhpimhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlblcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iimcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfandnla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnhfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gngeik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofdhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlalkmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlofcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Geanfelc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajkqfoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkpmdbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgiim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnajqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocaebc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmomo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2732 Jnjejjgh.exe 4288 Jddnfd32.exe 2924 Jgbjbp32.exe 3304 Jknfcofa.exe 2384 Jjafok32.exe 4936 Jnlbojee.exe 888 Jqknkedi.exe 3792 Kqmkae32.exe 2892 Kdigadjo.exe 4752 Kkconn32.exe 4416 Knalji32.exe 116 Kcndbp32.exe 4520 Knchpiom.exe 2304 Kdmqmc32.exe 1624 Kkgiimng.exe 1304 Knfeeimj.exe 4656 Kkjeomld.exe 4692 Kmkbfeab.exe 2216 Kdbjhbbd.exe 4308 Ljobpiql.exe 4556 Lqikmc32.exe 2932 Lcggio32.exe 5016 Lnmkfh32.exe 4364 Ldgccb32.exe 2740 Lcjcnoej.exe 2832 Lnohlgep.exe 2928 Lqndhcdc.exe 3276 Lkchelci.exe 1600 Lqpamb32.exe 3524 Lmgabcge.exe 4568 Mnfnlf32.exe 2416 Mepfiq32.exe 3504 Mmkkmc32.exe 4072 Mebcop32.exe 3852 Mkmkkjko.exe 1080 Mnkggfkb.exe 1540 Meepdp32.exe 3680 Mnmdme32.exe 4828 Megljppl.exe 2572 Mkadfj32.exe 4680 Mmbanbmg.exe 3408 Meiioonj.exe 4888 Njfagf32.exe 5092 Nmenca32.exe 4880 Nelfeo32.exe 3972 Ngjbaj32.exe 3760 Njinmf32.exe 1844 Nmgjia32.exe 3660 Nabfjpak.exe 3624 Nhmofj32.exe 4600 Njkkbehl.exe 4596 Naecop32.exe 4108 Neqopnhb.exe 4396 Njmhhefi.exe 3848 Nagpeo32.exe 3628 Nlmdbh32.exe 1764 Oeehkn32.exe 4456 Ojbacd32.exe 3452 Omqmop32.exe 3952 Oeheqm32.exe 1748 Onpjichj.exe 5000 Oejbfmpg.exe 2012 Oldjcg32.exe 3456 Omegjomb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bhbcfbjk.exe Bedgjgkg.exe File opened for modification C:\Windows\SysWOW64\Aokkahlo.exe Agdcpkll.exe File created C:\Windows\SysWOW64\Enfckp32.exe Dglkoeio.exe File created C:\Windows\SysWOW64\Pjmnkgfc.dll Ibcjqgnm.exe File created C:\Windows\SysWOW64\Fhjnfdhk.dll Hedafk32.exe File created C:\Windows\SysWOW64\Cikamapb.dll Hifcgion.exe File created C:\Windows\SysWOW64\Fhhfif32.dll Jpenfp32.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Nagpeo32.exe File opened for modification C:\Windows\SysWOW64\Onpjichj.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Hhdcmp32.exe Hajkqfoe.exe File created C:\Windows\SysWOW64\Cnokmj32.dll Momcpa32.exe File opened for modification C:\Windows\SysWOW64\Pdmkhgho.exe Pmcclm32.exe File created C:\Windows\SysWOW64\Lpmbai32.dll Aehgnied.exe File opened for modification C:\Windows\SysWOW64\Hahokfag.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Ieidhh32.exe File created C:\Windows\SysWOW64\Dkodcb32.dll Mnhdgpii.exe File created C:\Windows\SysWOW64\Jlgfga32.dll Kamjda32.exe File created C:\Windows\SysWOW64\Oonlfo32.exe Omopjcjp.exe File opened for modification C:\Windows\SysWOW64\Pjaleemj.exe Pbjddh32.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Oejbfmpg.exe Onpjichj.exe File opened for modification C:\Windows\SysWOW64\Pknqoc32.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bedgjgkg.exe File created C:\Windows\SysWOW64\Camddhoi.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Bdifpa32.dll Gejopl32.exe File created C:\Windows\SysWOW64\Clmipm32.dll Enfckp32.exe File opened for modification C:\Windows\SysWOW64\Nbphglbe.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Bochmn32.exe Alelqb32.exe File created C:\Windows\SysWOW64\Jiiicf32.exe Jenmcggo.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dpkmal32.exe File created C:\Windows\SysWOW64\Iehmmb32.exe Iondqhpl.exe File created C:\Windows\SysWOW64\Pbcncibp.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Mamjbp32.dll Njinmf32.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Aednci32.exe File opened for modification C:\Windows\SysWOW64\Bochmn32.exe Alelqb32.exe File opened for modification C:\Windows\SysWOW64\Klpakj32.exe Kibeoo32.exe File created C:\Windows\SysWOW64\Nmgjia32.exe Njinmf32.exe File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Cqmmqg32.dll Eifaim32.exe File created C:\Windows\SysWOW64\Migmpjdh.dll Jcmdaljn.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe Phajna32.exe File created C:\Windows\SysWOW64\Mcfbkpab.exe Mlljnf32.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Neqopnhb.exe File created C:\Windows\SysWOW64\Aehgnied.exe Aonoao32.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Emoadlfo.exe File created C:\Windows\SysWOW64\Jfdaia32.dll Gmfplibd.exe File opened for modification C:\Windows\SysWOW64\Panhbfep.exe Pnplfj32.exe File created C:\Windows\SysWOW64\Bhqndghj.dll Cpmapodj.exe File created C:\Windows\SysWOW64\Ojbacd32.exe Oeehkn32.exe File created C:\Windows\SysWOW64\Bhbcfbjk.exe Bedgjgkg.exe File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Efblbbqd.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Dbpjaeoc.exe Dkfadkgf.exe File created C:\Windows\SysWOW64\Fdahdiml.dll Igajal32.exe File created C:\Windows\SysWOW64\Dhgonidg.exe Damfao32.exe File created C:\Windows\SysWOW64\Pipeabep.dll Caageq32.exe File opened for modification C:\Windows\SysWOW64\Jbccge32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Libmeq32.dll Gkdpbpih.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Ljobpiql.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cdnmfclj.exe File opened for modification C:\Windows\SysWOW64\Dkokcl32.exe Chqogq32.exe File opened for modification C:\Windows\SysWOW64\Pnfiplog.exe Pfoann32.exe File created C:\Windows\SysWOW64\Phfcipoo.exe Palklf32.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14168 14080 WerFault.exe 695 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqecq32.dll" Emhkdmlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhemohm.dll" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll" Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" Goglcahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phfcipoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihejacdm.dll" Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkmjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll" Mjpjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gblbca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfojfj32.dll" Hbihjifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glbjggof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfnjpfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qodeajbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdijliok.dll" Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibcaknbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iefphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfagighf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll" Oacoqnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdimkqnb.dll" Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" Ckmonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll" Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobkhf32.dll" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpegkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll" Jpegkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkddhpn.dll" Lqndhcdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlglidlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpncq32.dll" Ngjbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll" Lhenai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enalem32.dll" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll" Apjkcadp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 684 wrote to memory of 2732 684 d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe 89 PID 684 wrote to memory of 2732 684 d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe 89 PID 684 wrote to memory of 2732 684 d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe 89 PID 2732 wrote to memory of 4288 2732 Jnjejjgh.exe 90 PID 2732 wrote to memory of 4288 2732 Jnjejjgh.exe 90 PID 2732 wrote to memory of 4288 2732 Jnjejjgh.exe 90 PID 4288 wrote to memory of 2924 4288 Jddnfd32.exe 91 PID 4288 wrote to memory of 2924 4288 Jddnfd32.exe 91 PID 4288 wrote to memory of 2924 4288 Jddnfd32.exe 91 PID 2924 wrote to memory of 3304 2924 Jgbjbp32.exe 92 PID 2924 wrote to memory of 3304 2924 Jgbjbp32.exe 92 PID 2924 wrote to memory of 3304 2924 Jgbjbp32.exe 92 PID 3304 wrote to memory of 2384 3304 Jknfcofa.exe 93 PID 3304 wrote to memory of 2384 3304 Jknfcofa.exe 93 PID 3304 wrote to memory of 2384 3304 Jknfcofa.exe 93 PID 2384 wrote to memory of 4936 2384 Jjafok32.exe 94 PID 2384 wrote to memory of 4936 2384 Jjafok32.exe 94 PID 2384 wrote to memory of 4936 2384 Jjafok32.exe 94 PID 4936 wrote to memory of 888 4936 Jnlbojee.exe 95 PID 4936 wrote to memory of 888 4936 Jnlbojee.exe 95 PID 4936 wrote to memory of 888 4936 Jnlbojee.exe 95 PID 888 wrote to memory of 3792 888 Jqknkedi.exe 96 PID 888 wrote to memory of 3792 888 Jqknkedi.exe 96 PID 888 wrote to memory of 3792 888 Jqknkedi.exe 96 PID 3792 wrote to memory of 2892 3792 Kqmkae32.exe 97 PID 3792 wrote to memory of 2892 3792 Kqmkae32.exe 97 PID 3792 wrote to memory of 2892 3792 Kqmkae32.exe 97 PID 2892 wrote to memory of 4752 2892 Kdigadjo.exe 99 PID 2892 wrote to memory of 4752 2892 Kdigadjo.exe 99 PID 2892 wrote to memory of 4752 2892 Kdigadjo.exe 99 PID 4752 wrote to memory of 4416 4752 Kkconn32.exe 100 PID 4752 wrote to memory of 4416 4752 Kkconn32.exe 100 PID 4752 wrote to memory of 4416 4752 Kkconn32.exe 100 PID 4416 wrote to memory of 116 4416 Knalji32.exe 102 PID 4416 wrote to memory of 116 4416 Knalji32.exe 102 PID 4416 wrote to memory of 116 4416 Knalji32.exe 102 PID 116 wrote to memory of 4520 116 Kcndbp32.exe 103 PID 116 wrote to memory of 4520 116 Kcndbp32.exe 103 PID 116 wrote to memory of 4520 116 Kcndbp32.exe 103 PID 4520 wrote to memory of 2304 4520 Knchpiom.exe 104 PID 4520 wrote to memory of 2304 4520 Knchpiom.exe 104 PID 4520 wrote to memory of 2304 4520 Knchpiom.exe 104 PID 2304 wrote to memory of 1624 2304 Kdmqmc32.exe 105 PID 2304 wrote to memory of 1624 2304 Kdmqmc32.exe 105 PID 2304 wrote to memory of 1624 2304 Kdmqmc32.exe 105 PID 1624 wrote to memory of 1304 1624 Kkgiimng.exe 107 PID 1624 wrote to memory of 1304 1624 Kkgiimng.exe 107 PID 1624 wrote to memory of 1304 1624 Kkgiimng.exe 107 PID 1304 wrote to memory of 4656 1304 Knfeeimj.exe 108 PID 1304 wrote to memory of 4656 1304 Knfeeimj.exe 108 PID 1304 wrote to memory of 4656 1304 Knfeeimj.exe 108 PID 4656 wrote to memory of 4692 4656 Kkjeomld.exe 109 PID 4656 wrote to memory of 4692 4656 Kkjeomld.exe 109 PID 4656 wrote to memory of 4692 4656 Kkjeomld.exe 109 PID 4692 wrote to memory of 2216 4692 Kmkbfeab.exe 110 PID 4692 wrote to memory of 2216 4692 Kmkbfeab.exe 110 PID 4692 wrote to memory of 2216 4692 Kmkbfeab.exe 110 PID 2216 wrote to memory of 4308 2216 Kdbjhbbd.exe 111 PID 2216 wrote to memory of 4308 2216 Kdbjhbbd.exe 111 PID 2216 wrote to memory of 4308 2216 Kdbjhbbd.exe 111 PID 4308 wrote to memory of 4556 4308 Ljobpiql.exe 112 PID 4308 wrote to memory of 4556 4308 Ljobpiql.exe 112 PID 4308 wrote to memory of 4556 4308 Ljobpiql.exe 112 PID 4556 wrote to memory of 2932 4556 Lqikmc32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d414f75e784f1c2b33bef32fc9d087d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe23⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:5016 -
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe25⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe26⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe27⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe29⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe30⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe31⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe34⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe35⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe36⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe37⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe38⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe39⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe40⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe41⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe42⤵PID:4332
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe43⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe44⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe45⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe46⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe47⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3760 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe50⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe52⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe53⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe54⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe56⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe58⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe60⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe61⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe64⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe65⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe66⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4560 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe68⤵PID:3996
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe69⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe70⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5140 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe72⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe73⤵PID:5220
-
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe74⤵PID:5260
-
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe76⤵PID:5344
-
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe77⤵PID:5384
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe79⤵PID:5464
-
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe80⤵PID:5504
-
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe81⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe82⤵PID:5584
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe83⤵PID:5628
-
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe84⤵PID:5668
-
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe85⤵PID:5712
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe86⤵PID:5752
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe87⤵PID:5796
-
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe88⤵PID:5836
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe89⤵PID:5876
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe90⤵PID:5924
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe91⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe92⤵PID:6008
-
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe93⤵PID:6052
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe94⤵PID:6092
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe95⤵
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe97⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe98⤵PID:5324
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe99⤵PID:5420
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe100⤵PID:5472
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe101⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe102⤵PID:5620
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe103⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe104⤵PID:5768
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe105⤵PID:5832
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe106⤵PID:5892
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe107⤵PID:4592
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe108⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe109⤵PID:6004
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe110⤵PID:6084
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe111⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe112⤵PID:5228
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe113⤵PID:5340
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe114⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe115⤵PID:5572
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe116⤵PID:5680
-
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe117⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe118⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe119⤵PID:4584
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe120⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe121⤵PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-