Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 12:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe
-
Size
89KB
-
MD5
deb030b43410a8d2abe44a309fc96c20
-
SHA1
9c1d14dde22589cd9c79ae2e08869b83221ab8c8
-
SHA256
bd2b991baec0bde5ef1d2d8deef70dabb145222e4f7ac0943e3c52de5c1aab2a
-
SHA512
4a1528282502ad046ef06cbccb53c34222f4d5a94ba33967f2e2671cd19975551cc529dac74232e6773922059758c752d8f881f59d5ce87e0bf10dd8911a62f6
-
SSDEEP
1536:uJ/wBK1300yCrhQ9uvPnX1PlmxUJ27/MglcBlExkg8Fk:uaBKR0GqabmX5cBlakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abkjnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgfhddn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodfkpfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqelh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhblfpng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhafgpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjcmognb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akipdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkqdnkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gknkkmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdpio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmmoppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqmnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojjoedfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooangh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plndma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpajdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfdhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbeeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddgfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcbfmomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmbao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkaddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnggnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diafkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oagpne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbfmjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anjikoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkehlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikbhiaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdfcla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocldhqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihlechfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgiibja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoonjjgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nojfic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfhnfhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocoqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfkng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meoggpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helkdnaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laofhbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mndcnafd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahdgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnppbapl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhlpnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenffqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddifaqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnppbapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfeoip32.exe -
Executes dropped EXE 64 IoCs
pid Process 4656 Ooibkpmi.exe 4920 Omalpc32.exe 1188 Omdieb32.exe 3840 Pfagighf.exe 3700 Pfccogfc.exe 3628 Pidlqb32.exe 3000 Qclmck32.exe 488 Amfobp32.exe 2808 Abfdpfaj.exe 1304 Aibibp32.exe 5004 Aalmimfd.exe 2656 Bdapehop.exe 3348 Bipecnkd.exe 3976 Cmpjoloh.exe 1084 Cpacqg32.exe 2568 Cacmpj32.exe 2948 Dknnoofg.exe 976 Egkddo32.exe 2960 Eaceghcg.exe 3452 Famhmfkl.exe 4532 Fqbeoc32.exe 4992 Gbpnjdkg.exe 2660 Hbknebqi.exe 1840 Iccpniqp.exe 4924 Ihaidhgf.exe 5104 Jnnnfalp.exe 1684 Jacpcl32.exe 1356 Koljgppp.exe 3992 Khfkfedn.exe 3936 Laffpi32.exe 1764 Lkqgno32.exe 4404 Lamlphoo.exe 780 Mlemcq32.exe 1164 Memalfcb.exe 1780 Mklfjm32.exe 2044 Nchhfild.exe 2684 Ndlacapp.exe 3876 Ndnnianm.exe 2796 Nofoki32.exe 3972 Ohqpjo32.exe 2076 Odjmdocp.exe 4056 Ooangh32.exe 376 Pcpgmf32.exe 2176 Pmjhlklg.exe 5032 Pfeijqqe.exe 4420 Qifbll32.exe 4464 Qkfkng32.exe 3236 Afqifo32.exe 3776 Acgfec32.exe 548 Bcicjbal.exe 4560 Bliajd32.exe 1748 Cbjogmlf.exe 1804 Cboibm32.exe 4668 Dfonnk32.exe 2976 Dmkcpdao.exe 2564 Dmbiackg.exe 1156 Edakimoo.exe 1236 Edfddl32.exe 1508 Flaiho32.exe 2136 Fdogjk32.exe 1396 Fdadpk32.exe 4276 Gnlenp32.exe 3468 Gqmnpk32.exe 1124 Gjhonp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fijbhpbc.dll Agqhik32.exe File created C:\Windows\SysWOW64\Fqqkagjo.dll Miflehaf.exe File created C:\Windows\SysWOW64\Bckddn32.exe Begcjjql.exe File created C:\Windows\SysWOW64\Afapjk32.exe Process not Found File created C:\Windows\SysWOW64\Fjacac32.dll Loniiflo.exe File created C:\Windows\SysWOW64\Acpkbf32.exe Acmomgoa.exe File created C:\Windows\SysWOW64\Gahlnk32.dll Acpkbf32.exe File opened for modification C:\Windows\SysWOW64\Hhbkccji.exe Hgboiq32.exe File created C:\Windows\SysWOW64\Opqopj32.exe Ogeklh32.exe File opened for modification C:\Windows\SysWOW64\Imdndbkn.exe Idljll32.exe File created C:\Windows\SysWOW64\Fcjeocpf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dhfhnfhc.exe Ckpjob32.exe File opened for modification C:\Windows\SysWOW64\Pjehflie.exe Pplcnf32.exe File created C:\Windows\SysWOW64\Qocfjlan.exe Poajdlcq.exe File created C:\Windows\SysWOW64\Foemfdkp.dll Hmpjfdcb.exe File created C:\Windows\SysWOW64\Nldhbggg.dll Mndapl32.exe File created C:\Windows\SysWOW64\Mlffgmbd.dll Nnojad32.exe File opened for modification C:\Windows\SysWOW64\Jfkhfmdm.exe Jfhlpnfp.exe File created C:\Windows\SysWOW64\Nhcbidcd.exe Ndejcemn.exe File created C:\Windows\SysWOW64\Eangjkkd.exe Elaobdmm.exe File opened for modification C:\Windows\SysWOW64\Kcikfcab.exe Kbgafqla.exe File created C:\Windows\SysWOW64\Jlkaahjg.exe Jeolonem.exe File created C:\Windows\SysWOW64\Jpdiag32.dll Fabqdl32.exe File created C:\Windows\SysWOW64\Fipbnn32.exe Fhofffjo.exe File created C:\Windows\SysWOW64\Mdnlip32.dll Aepklffh.exe File created C:\Windows\SysWOW64\Emhahiep.exe Ecpmod32.exe File opened for modification C:\Windows\SysWOW64\Bphgoe32.exe Bkkofn32.exe File opened for modification C:\Windows\SysWOW64\Djckiapl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nqdlpmce.exe Nkhdgfen.exe File opened for modification C:\Windows\SysWOW64\Cdfpdc32.exe Bphgoe32.exe File created C:\Windows\SysWOW64\Aiedaoip.dll Ahffqk32.exe File opened for modification C:\Windows\SysWOW64\Ohiefdhd.exe Naaqhlmg.exe File created C:\Windows\SysWOW64\Elmoqj32.dll Jnnnfalp.exe File created C:\Windows\SysWOW64\Ckmpakdh.dll Nchhfild.exe File created C:\Windows\SysWOW64\Emkeho32.exe Efamkepl.exe File created C:\Windows\SysWOW64\Ddifaqcn.exe Dolmijef.exe File opened for modification C:\Windows\SysWOW64\Ijmhdi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eglkmh32.exe Emfgpo32.exe File created C:\Windows\SysWOW64\Jimedokp.dll Dhcdnq32.exe File opened for modification C:\Windows\SysWOW64\Nimioo32.exe Nlihek32.exe File created C:\Windows\SysWOW64\Djijkocc.dll Process not Found File created C:\Windows\SysWOW64\Mlemcq32.exe Lamlphoo.exe File opened for modification C:\Windows\SysWOW64\Cjcmognb.exe Bmomecoi.exe File created C:\Windows\SysWOW64\Bkkinj32.dll Oplfekdp.exe File created C:\Windows\SysWOW64\Lchood32.dll Cpmqoqbp.exe File created C:\Windows\SysWOW64\Aljhbm32.dll Ibadoc32.exe File created C:\Windows\SysWOW64\Hkibcg32.dll Gnppbapl.exe File opened for modification C:\Windows\SysWOW64\Kdjhkp32.exe Kceoppmo.exe File opened for modification C:\Windows\SysWOW64\Ljmmnf32.exe Kilpgnfi.exe File created C:\Windows\SysWOW64\Eekpll32.dll Ohkbldfa.exe File created C:\Windows\SysWOW64\Emhngp32.dll Imfill32.exe File opened for modification C:\Windows\SysWOW64\Hjmomkll.exe Process not Found File created C:\Windows\SysWOW64\Helkdnaj.exe Ghohdk32.exe File opened for modification C:\Windows\SysWOW64\Mcgbfcij.exe Mnjjmmkc.exe File created C:\Windows\SysWOW64\Mndapl32.exe Mmdefi32.exe File opened for modification C:\Windows\SysWOW64\Jalakeme.exe Jkbhok32.exe File created C:\Windows\SysWOW64\Ifehfoed.dll Eilomd32.exe File created C:\Windows\SysWOW64\Jgeihjcb.dll Olfolp32.exe File opened for modification C:\Windows\SysWOW64\Mbgjlq32.exe Mlmbofdh.exe File opened for modification C:\Windows\SysWOW64\Pogpcghp.exe Peokkbao.exe File opened for modification C:\Windows\SysWOW64\Hhfplejl.exe Hbihdn32.exe File opened for modification C:\Windows\SysWOW64\Mledgm32.exe Process not Found File created C:\Windows\SysWOW64\Ccmcaicm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Ooibkpmi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqochl32.dll" Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncfmhecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjpfc32.dll" Hhbbmjne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcffoben.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkfkng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcmopeae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnfngkm.dll" Gmndjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liioop32.dll" Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjokpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkllbpl.dll" Aopmpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poelfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdbck32.dll" Cmflkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dajnol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alioloje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnghhqdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnmjkahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Negoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aehpof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeiooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaacjha.dll" Icalij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopajmkk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqheglcj.dll" Bjeckojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgcang32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqmnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmfcc32.dll" Ongpeejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmagbaih.dll" Ofgmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffjignde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpfkiepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjmcb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqbeoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjakmcg.dll" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaafqjcd.dll" Bfkkhdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfilee32.dll" Ffqhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnlmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcbfmomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnglia32.dll" Ebnddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhifib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlcmi32.dll" Kqnbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhaeli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkggfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldecp32.dll" Jamafidm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmpnqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qomhogfn.dll" Fbkdjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqomdppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgngkmkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipcakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gienbe32.dll" Fckhnaab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhkn32.dll" Baojkdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laofhbmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgbhbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edakimoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggldde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4656 5076 deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe 90 PID 5076 wrote to memory of 4656 5076 deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe 90 PID 5076 wrote to memory of 4656 5076 deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe 90 PID 4656 wrote to memory of 4920 4656 Ooibkpmi.exe 91 PID 4656 wrote to memory of 4920 4656 Ooibkpmi.exe 91 PID 4656 wrote to memory of 4920 4656 Ooibkpmi.exe 91 PID 4920 wrote to memory of 1188 4920 Omalpc32.exe 92 PID 4920 wrote to memory of 1188 4920 Omalpc32.exe 92 PID 4920 wrote to memory of 1188 4920 Omalpc32.exe 92 PID 1188 wrote to memory of 3840 1188 Omdieb32.exe 93 PID 1188 wrote to memory of 3840 1188 Omdieb32.exe 93 PID 1188 wrote to memory of 3840 1188 Omdieb32.exe 93 PID 3840 wrote to memory of 3700 3840 Pfagighf.exe 94 PID 3840 wrote to memory of 3700 3840 Pfagighf.exe 94 PID 3840 wrote to memory of 3700 3840 Pfagighf.exe 94 PID 3700 wrote to memory of 3628 3700 Pfccogfc.exe 95 PID 3700 wrote to memory of 3628 3700 Pfccogfc.exe 95 PID 3700 wrote to memory of 3628 3700 Pfccogfc.exe 95 PID 3628 wrote to memory of 3000 3628 Pidlqb32.exe 96 PID 3628 wrote to memory of 3000 3628 Pidlqb32.exe 96 PID 3628 wrote to memory of 3000 3628 Pidlqb32.exe 96 PID 3000 wrote to memory of 488 3000 Qclmck32.exe 97 PID 3000 wrote to memory of 488 3000 Qclmck32.exe 97 PID 3000 wrote to memory of 488 3000 Qclmck32.exe 97 PID 488 wrote to memory of 2808 488 Amfobp32.exe 98 PID 488 wrote to memory of 2808 488 Amfobp32.exe 98 PID 488 wrote to memory of 2808 488 Amfobp32.exe 98 PID 2808 wrote to memory of 1304 2808 Abfdpfaj.exe 99 PID 2808 wrote to memory of 1304 2808 Abfdpfaj.exe 99 PID 2808 wrote to memory of 1304 2808 Abfdpfaj.exe 99 PID 1304 wrote to memory of 5004 1304 Aibibp32.exe 100 PID 1304 wrote to memory of 5004 1304 Aibibp32.exe 100 PID 1304 wrote to memory of 5004 1304 Aibibp32.exe 100 PID 5004 wrote to memory of 2656 5004 Aalmimfd.exe 101 PID 5004 wrote to memory of 2656 5004 Aalmimfd.exe 101 PID 5004 wrote to memory of 2656 5004 Aalmimfd.exe 101 PID 2656 wrote to memory of 3348 2656 Bdapehop.exe 102 PID 2656 wrote to memory of 3348 2656 Bdapehop.exe 102 PID 2656 wrote to memory of 3348 2656 Bdapehop.exe 102 PID 3348 wrote to memory of 3976 3348 Bipecnkd.exe 103 PID 3348 wrote to memory of 3976 3348 Bipecnkd.exe 103 PID 3348 wrote to memory of 3976 3348 Bipecnkd.exe 103 PID 3976 wrote to memory of 1084 3976 Cmpjoloh.exe 104 PID 3976 wrote to memory of 1084 3976 Cmpjoloh.exe 104 PID 3976 wrote to memory of 1084 3976 Cmpjoloh.exe 104 PID 1084 wrote to memory of 2568 1084 Cpacqg32.exe 105 PID 1084 wrote to memory of 2568 1084 Cpacqg32.exe 105 PID 1084 wrote to memory of 2568 1084 Cpacqg32.exe 105 PID 2568 wrote to memory of 2948 2568 Cacmpj32.exe 106 PID 2568 wrote to memory of 2948 2568 Cacmpj32.exe 106 PID 2568 wrote to memory of 2948 2568 Cacmpj32.exe 106 PID 2948 wrote to memory of 976 2948 Dknnoofg.exe 107 PID 2948 wrote to memory of 976 2948 Dknnoofg.exe 107 PID 2948 wrote to memory of 976 2948 Dknnoofg.exe 107 PID 976 wrote to memory of 2960 976 Egkddo32.exe 108 PID 976 wrote to memory of 2960 976 Egkddo32.exe 108 PID 976 wrote to memory of 2960 976 Egkddo32.exe 108 PID 2960 wrote to memory of 3452 2960 Eaceghcg.exe 109 PID 2960 wrote to memory of 3452 2960 Eaceghcg.exe 109 PID 2960 wrote to memory of 3452 2960 Eaceghcg.exe 109 PID 3452 wrote to memory of 4532 3452 Famhmfkl.exe 110 PID 3452 wrote to memory of 4532 3452 Famhmfkl.exe 110 PID 3452 wrote to memory of 4532 3452 Famhmfkl.exe 110 PID 4532 wrote to memory of 4992 4532 Fqbeoc32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\deb030b43410a8d2abe44a309fc96c20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Pfagighf.exeC:\Windows\system32\Pfagighf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bipecnkd.exeC:\Windows\system32\Bipecnkd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe23⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe24⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe25⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe26⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5104 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe28⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe29⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe30⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe31⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe32⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe34⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe35⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe36⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe38⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe40⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe41⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe42⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe44⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe45⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe46⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe47⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe49⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe50⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe51⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe52⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe53⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe54⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe55⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe59⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe62⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe63⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe65⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe66⤵PID:1376
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe67⤵PID:4368
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe68⤵PID:984
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe69⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe70⤵PID:3492
-
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe71⤵PID:4388
-
C:\Windows\SysWOW64\Imiagi32.exeC:\Windows\system32\Imiagi32.exe72⤵PID:1828
-
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe73⤵PID:2144
-
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe75⤵PID:1104
-
C:\Windows\SysWOW64\Kccbjq32.exeC:\Windows\system32\Kccbjq32.exe76⤵PID:4040
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe77⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe78⤵PID:5172
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe79⤵PID:5212
-
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe80⤵PID:5252
-
C:\Windows\SysWOW64\Lokldg32.exeC:\Windows\system32\Lokldg32.exe81⤵PID:5292
-
C:\Windows\SysWOW64\Loniiflo.exeC:\Windows\system32\Loniiflo.exe82⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5384 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe84⤵PID:5432
-
C:\Windows\SysWOW64\Nkgoke32.exeC:\Windows\system32\Nkgoke32.exe85⤵PID:5476
-
C:\Windows\SysWOW64\Nemchn32.exeC:\Windows\system32\Nemchn32.exe86⤵PID:5536
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe87⤵PID:5596
-
C:\Windows\SysWOW64\Poagma32.exeC:\Windows\system32\Poagma32.exe88⤵PID:5636
-
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe89⤵PID:5696
-
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe90⤵PID:5740
-
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe91⤵PID:5788
-
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe92⤵PID:5852
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe93⤵PID:5892
-
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe94⤵PID:5940
-
C:\Windows\SysWOW64\Bkfmjnii.exeC:\Windows\system32\Bkfmjnii.exe95⤵PID:5984
-
C:\Windows\SysWOW64\Bpdfpmoo.exeC:\Windows\system32\Bpdfpmoo.exe96⤵PID:6032
-
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe97⤵PID:6076
-
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe98⤵PID:6120
-
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe99⤵PID:5124
-
C:\Windows\SysWOW64\Cifmoa32.exeC:\Windows\system32\Cifmoa32.exe100⤵PID:5188
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe101⤵PID:5272
-
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe102⤵PID:5380
-
C:\Windows\SysWOW64\Dimcppgm.exeC:\Windows\system32\Dimcppgm.exe103⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe104⤵PID:5520
-
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe105⤵PID:5568
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe106⤵PID:816
-
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4376 -
C:\Windows\SysWOW64\Eppobi32.exeC:\Windows\system32\Eppobi32.exe108⤵PID:5732
-
C:\Windows\SysWOW64\Elgohj32.exeC:\Windows\system32\Elgohj32.exe109⤵PID:5776
-
C:\Windows\SysWOW64\Eojeodga.exeC:\Windows\system32\Eojeodga.exe110⤵PID:5876
-
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe111⤵PID:5936
-
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe112⤵PID:6028
-
C:\Windows\SysWOW64\Gchflq32.exeC:\Windows\system32\Gchflq32.exe113⤵PID:6100
-
C:\Windows\SysWOW64\Ghjhofjg.exeC:\Windows\system32\Ghjhofjg.exe114⤵PID:3296
-
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe115⤵PID:5232
-
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe116⤵PID:5360
-
C:\Windows\SysWOW64\Imcqacfq.exeC:\Windows\system32\Imcqacfq.exe117⤵PID:5548
-
C:\Windows\SysWOW64\Jginej32.exeC:\Windows\system32\Jginej32.exe118⤵PID:4348
-
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe119⤵PID:5748
-
C:\Windows\SysWOW64\Kpgoolbl.exeC:\Windows\system32\Kpgoolbl.exe120⤵PID:4220
-
C:\Windows\SysWOW64\Kmpido32.exeC:\Windows\system32\Kmpido32.exe121⤵PID:5928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-