Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 20:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe
-
Size
264KB
-
MD5
24e16063ea1eafcb9846b7f7b6927252
-
SHA1
ee001d1432d7f8c38584a23a9aa23822590b6531
-
SHA256
7d18eb78272ac39903de686686100c0e10aee9e03b1e452a0c8d34c33e5ca916
-
SHA512
069134380ea40936d1fe0ec044e3a1f1f5a7097daebf2a68d35922e633f537b3563632ff45e768644b7155e59157ee46dc703500da4da120ff24cce2c571376f
-
SSDEEP
3072:zltob4HJj24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrFDs:fo4HJosFj5tPNki9HZd1sFj5tw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbkhhel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbdjhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algiaepd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghgbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiheheka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmbqdfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obphenpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehfcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcdfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknebqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldccid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiphhhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fochecog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcemmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpchaqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foplnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnppkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolfmcbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolodqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdhcjpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqebike.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmmlamj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncdobq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chkjpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidhffef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begcjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkinob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhbbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqpbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmebpbod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgodjiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjeiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpjnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadcfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqbagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opgloh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpedckdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdeaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbnjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlnfkgho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjfdfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blknpdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmfcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbibeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlhcl32.exe -
Executes dropped EXE 64 IoCs
pid Process 4840 Coqncejg.exe 1612 Dojqjdbl.exe 3496 Dakikoom.exe 3472 Ddkbmj32.exe 4088 Enpfan32.exe 3512 Fgoakc32.exe 2160 Gbiockdj.exe 1584 Gbnhoj32.exe 2928 Ggmmlamj.exe 1156 Hlblcn32.exe 2624 Ibgdlg32.exe 2336 Iehmmb32.exe 2552 Kcjjhdjb.exe 3200 Koajmepf.exe 3244 Kcapicdj.exe 4784 Lcfidb32.exe 4356 Lhenai32.exe 4432 Lhgkgijg.exe 4940 Mfnhfm32.exe 2868 Mbgeqmjp.exe 1616 Mhckcgpj.exe 1812 Nbnlaldg.exe 2904 Nbbeml32.exe 2660 Oblhcj32.exe 2052 Ocnabm32.exe 2348 Pjjfdfbb.exe 4788 Piocecgj.exe 3832 Pbjddh32.exe 2184 Qfjjpf32.exe 1988 Abcgjg32.exe 2296 Adgmoigj.exe 3540 Bboffejp.exe 4560 Bmggingc.exe 832 Cpogkhnl.exe 2936 Cmedjl32.exe 4612 Cmgqpkip.exe 864 Dgpeha32.exe 3308 Daeifj32.exe 3776 Dpjfgf32.exe 3860 Ddhomdje.exe 2192 Djegekil.exe 3148 Dgihop32.exe 2404 Dcphdqmj.exe 2664 Edoencdm.exe 4916 Ekimjn32.exe 4644 Epffbd32.exe 3380 Ephbhd32.exe 1576 Eahobg32.exe 4536 Egegjn32.exe 2888 Edihdb32.exe 3940 Fcneeo32.exe 4252 Fncibg32.exe 444 Fglnkm32.exe 3968 Fdpnda32.exe 1656 Fbdnne32.exe 876 Fgqgfl32.exe 4404 Ggccllai.exe 232 Gcjdam32.exe 3396 Gclafmej.exe 4908 Ggjjlk32.exe 1788 Gdnjfojj.exe 4728 Gkhbbi32.exe 1624 Hbdgec32.exe 4188 Haidfpki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Hnbnjc32.exe File created C:\Windows\SysWOW64\Defheg32.exe Dpjompqc.exe File opened for modification C:\Windows\SysWOW64\Ghqeihbb.exe Gohapb32.exe File created C:\Windows\SysWOW64\Ogfihhjf.dll Ejgdim32.exe File created C:\Windows\SysWOW64\Qjcdih32.exe Qpkppbho.exe File created C:\Windows\SysWOW64\Plbfohbl.exe Olpjii32.exe File created C:\Windows\SysWOW64\Hfkdkqeo.exe Hnpognhd.exe File created C:\Windows\SysWOW64\Odipjk32.dll Phkmoc32.exe File created C:\Windows\SysWOW64\Fpoaom32.exe Fckaeioa.exe File opened for modification C:\Windows\SysWOW64\Hmjmnpmb.exe Hdahek32.exe File created C:\Windows\SysWOW64\Pbokab32.exe Pekkhn32.exe File created C:\Windows\SysWOW64\Bdbiml32.dll Oilmhhfd.exe File created C:\Windows\SysWOW64\Kkkdjcjb.exe Kmgdaokh.exe File created C:\Windows\SysWOW64\Madbpi32.dll Lcpledob.exe File created C:\Windows\SysWOW64\Lcoeiajc.dll Pcbdcf32.exe File created C:\Windows\SysWOW64\Bgbmqpej.dll Nidhffef.exe File created C:\Windows\SysWOW64\Cicqja32.exe Chddpn32.exe File created C:\Windows\SysWOW64\Hfncib32.dll Agikne32.exe File opened for modification C:\Windows\SysWOW64\Mgidgakk.exe Mallojmd.exe File opened for modification C:\Windows\SysWOW64\Fjlpbb32.exe Fpckjlje.exe File opened for modification C:\Windows\SysWOW64\Ppffec32.exe Pgnblm32.exe File created C:\Windows\SysWOW64\Jhdcmf32.exe Jolodqcp.exe File created C:\Windows\SysWOW64\Oelhljaq.exe Oghgbe32.exe File created C:\Windows\SysWOW64\Bamfhjof.dll Obgofmjb.exe File created C:\Windows\SysWOW64\Gqdbbelf.exe Gfnnel32.exe File created C:\Windows\SysWOW64\Pcdqhecd.exe Pecpknke.exe File created C:\Windows\SysWOW64\Ghollnfk.dll Eliecc32.exe File opened for modification C:\Windows\SysWOW64\Jhejgl32.exe Jbkbkbfo.exe File created C:\Windows\SysWOW64\Ddfhqcqb.dll Bkbcpb32.exe File created C:\Windows\SysWOW64\Pohilc32.exe Poelfc32.exe File created C:\Windows\SysWOW64\Klohlg32.dll Enfcjb32.exe File created C:\Windows\SysWOW64\Gfmmle32.dll Eqopqh32.exe File opened for modification C:\Windows\SysWOW64\Iqbpahpc.exe Idkpmgjo.exe File opened for modification C:\Windows\SysWOW64\Feifgnki.exe Fgcjea32.exe File created C:\Windows\SysWOW64\Onimmoeg.dll Imjgbb32.exe File created C:\Windows\SysWOW64\Apjppniq.dll Dnnoip32.exe File created C:\Windows\SysWOW64\Pcaoahio.exe Pgknlg32.exe File opened for modification C:\Windows\SysWOW64\Apobakpn.exe Agfnhf32.exe File created C:\Windows\SysWOW64\Gbiockdj.exe Fgoakc32.exe File opened for modification C:\Windows\SysWOW64\Fglnkm32.exe Fncibg32.exe File opened for modification C:\Windows\SysWOW64\Aaofedkl.exe Qjeaog32.exe File created C:\Windows\SysWOW64\Hhjqec32.exe Hfkdkqeo.exe File created C:\Windows\SysWOW64\Ijedehgm.exe Icklhnop.exe File opened for modification C:\Windows\SysWOW64\Bgodjiio.exe Bkhceh32.exe File opened for modification C:\Windows\SysWOW64\Lflpmn32.exe Lobhqdec.exe File opened for modification C:\Windows\SysWOW64\Hpnhoqmi.exe Hidpbf32.exe File opened for modification C:\Windows\SysWOW64\Kgkooeen.exe Kanffogf.exe File opened for modification C:\Windows\SysWOW64\Cpedckdl.exe Cadcfd32.exe File opened for modification C:\Windows\SysWOW64\Ekimjn32.exe Edoencdm.exe File created C:\Windows\SysWOW64\Egjmiege.dll Meoggpmd.exe File created C:\Windows\SysWOW64\Oenfbj32.dll Mikepg32.exe File created C:\Windows\SysWOW64\Ejdhcjpl.exe Djalnkbo.exe File created C:\Windows\SysWOW64\Onkhgheg.dll Kojkeogp.exe File created C:\Windows\SysWOW64\Begcjjql.exe Bmlofhca.exe File opened for modification C:\Windows\SysWOW64\Pcfmneaa.exe Piaiqlak.exe File created C:\Windows\SysWOW64\Emioab32.exe Edakimoo.exe File created C:\Windows\SysWOW64\Gdfcgdbc.dll Ifaepolg.exe File opened for modification C:\Windows\SysWOW64\Cklffq32.exe Cnhell32.exe File opened for modification C:\Windows\SysWOW64\Ekcemmgo.exe Ejdhcjpl.exe File created C:\Windows\SysWOW64\Imabnofj.exe Ilpfgg32.exe File created C:\Windows\SysWOW64\Egmjpi32.exe Emeffcid.exe File opened for modification C:\Windows\SysWOW64\Nhicoi32.exe Nhffijdm.exe File opened for modification C:\Windows\SysWOW64\Akjnnpcf.exe Aocmio32.exe File created C:\Windows\SysWOW64\Hahlnefd.exe Hhpheo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9956 9600 WerFault.exe 883 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqhali32.dll" Laeoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odifjipd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgagnd32.dll" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmohcf.dll" Nmajbnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkdeaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmebpbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icklhnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icminm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaohkjak.dll" Ajjjjghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjjghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibdlc32.dll" Hhiaepfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofooqinh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maefnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhpmopi.dll" Fbdnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlifnphl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akjnnpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfcek32.dll" Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkpipaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkeakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqccqo32.dll" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcpibgf.dll" Jknfnbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofienka.dll" Jmgkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koeajo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdggnfj.dll" Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejcm32.dll" Ebifha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll" Qfjjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbdgec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmagch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhadgmge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdnjd32.dll" Akjnnpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aniqpe32.dll" Olpjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfcjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfcmid.dll" Llmbqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcepnl32.dll" Gceaofmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqjnmoo.dll" Jopaejlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghlgd32.dll" Njacikbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmnmbbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpecpjb.dll" Haobnpkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbofdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhadgmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkcdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmelh32.dll" Kfbfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laffpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmbebgo.dll" Jeilne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgonpaol.dll" Iefedcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meoggpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gplged32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 4840 2432 24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe 91 PID 2432 wrote to memory of 4840 2432 24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe 91 PID 2432 wrote to memory of 4840 2432 24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe 91 PID 4840 wrote to memory of 1612 4840 Coqncejg.exe 92 PID 4840 wrote to memory of 1612 4840 Coqncejg.exe 92 PID 4840 wrote to memory of 1612 4840 Coqncejg.exe 92 PID 1612 wrote to memory of 3496 1612 Dojqjdbl.exe 93 PID 1612 wrote to memory of 3496 1612 Dojqjdbl.exe 93 PID 1612 wrote to memory of 3496 1612 Dojqjdbl.exe 93 PID 3496 wrote to memory of 3472 3496 Dakikoom.exe 94 PID 3496 wrote to memory of 3472 3496 Dakikoom.exe 94 PID 3496 wrote to memory of 3472 3496 Dakikoom.exe 94 PID 3472 wrote to memory of 4088 3472 Ddkbmj32.exe 95 PID 3472 wrote to memory of 4088 3472 Ddkbmj32.exe 95 PID 3472 wrote to memory of 4088 3472 Ddkbmj32.exe 95 PID 4088 wrote to memory of 3512 4088 Enpfan32.exe 96 PID 4088 wrote to memory of 3512 4088 Enpfan32.exe 96 PID 4088 wrote to memory of 3512 4088 Enpfan32.exe 96 PID 3512 wrote to memory of 2160 3512 Fgoakc32.exe 97 PID 3512 wrote to memory of 2160 3512 Fgoakc32.exe 97 PID 3512 wrote to memory of 2160 3512 Fgoakc32.exe 97 PID 2160 wrote to memory of 1584 2160 Gbiockdj.exe 98 PID 2160 wrote to memory of 1584 2160 Gbiockdj.exe 98 PID 2160 wrote to memory of 1584 2160 Gbiockdj.exe 98 PID 1584 wrote to memory of 2928 1584 Gbnhoj32.exe 99 PID 1584 wrote to memory of 2928 1584 Gbnhoj32.exe 99 PID 1584 wrote to memory of 2928 1584 Gbnhoj32.exe 99 PID 2928 wrote to memory of 1156 2928 Ggmmlamj.exe 100 PID 2928 wrote to memory of 1156 2928 Ggmmlamj.exe 100 PID 2928 wrote to memory of 1156 2928 Ggmmlamj.exe 100 PID 1156 wrote to memory of 2624 1156 Hlblcn32.exe 101 PID 1156 wrote to memory of 2624 1156 Hlblcn32.exe 101 PID 1156 wrote to memory of 2624 1156 Hlblcn32.exe 101 PID 2624 wrote to memory of 2336 2624 Ibgdlg32.exe 102 PID 2624 wrote to memory of 2336 2624 Ibgdlg32.exe 102 PID 2624 wrote to memory of 2336 2624 Ibgdlg32.exe 102 PID 2336 wrote to memory of 2552 2336 Iehmmb32.exe 103 PID 2336 wrote to memory of 2552 2336 Iehmmb32.exe 103 PID 2336 wrote to memory of 2552 2336 Iehmmb32.exe 103 PID 2552 wrote to memory of 3200 2552 Kcjjhdjb.exe 104 PID 2552 wrote to memory of 3200 2552 Kcjjhdjb.exe 104 PID 2552 wrote to memory of 3200 2552 Kcjjhdjb.exe 104 PID 3200 wrote to memory of 3244 3200 Koajmepf.exe 105 PID 3200 wrote to memory of 3244 3200 Koajmepf.exe 105 PID 3200 wrote to memory of 3244 3200 Koajmepf.exe 105 PID 3244 wrote to memory of 4784 3244 Kcapicdj.exe 106 PID 3244 wrote to memory of 4784 3244 Kcapicdj.exe 106 PID 3244 wrote to memory of 4784 3244 Kcapicdj.exe 106 PID 4784 wrote to memory of 4356 4784 Lcfidb32.exe 107 PID 4784 wrote to memory of 4356 4784 Lcfidb32.exe 107 PID 4784 wrote to memory of 4356 4784 Lcfidb32.exe 107 PID 4356 wrote to memory of 4432 4356 Lhenai32.exe 108 PID 4356 wrote to memory of 4432 4356 Lhenai32.exe 108 PID 4356 wrote to memory of 4432 4356 Lhenai32.exe 108 PID 4432 wrote to memory of 4940 4432 Lhgkgijg.exe 109 PID 4432 wrote to memory of 4940 4432 Lhgkgijg.exe 109 PID 4432 wrote to memory of 4940 4432 Lhgkgijg.exe 109 PID 4940 wrote to memory of 2868 4940 Mfnhfm32.exe 110 PID 4940 wrote to memory of 2868 4940 Mfnhfm32.exe 110 PID 4940 wrote to memory of 2868 4940 Mfnhfm32.exe 110 PID 2868 wrote to memory of 1616 2868 Mbgeqmjp.exe 111 PID 2868 wrote to memory of 1616 2868 Mbgeqmjp.exe 111 PID 2868 wrote to memory of 1616 2868 Mbgeqmjp.exe 111 PID 1616 wrote to memory of 1812 1616 Mhckcgpj.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\24e16063ea1eafcb9846b7f7b6927252_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Ggmmlamj.exeC:\Windows\system32\Ggmmlamj.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Kcapicdj.exeC:\Windows\system32\Kcapicdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Mbgeqmjp.exeC:\Windows\system32\Mbgeqmjp.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe23⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe24⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe26⤵PID:3424
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe27⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe29⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe30⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe32⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe33⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe34⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe35⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Cpogkhnl.exeC:\Windows\system32\Cpogkhnl.exe36⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe37⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe38⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe40⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Dpjfgf32.exeC:\Windows\system32\Dpjfgf32.exe41⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe42⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe43⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe44⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe45⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe47⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe48⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Ephbhd32.exeC:\Windows\system32\Ephbhd32.exe49⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe51⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4252 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe55⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe56⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe58⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ggccllai.exeC:\Windows\system32\Ggccllai.exe59⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe60⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe61⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Ggjjlk32.exeC:\Windows\system32\Ggjjlk32.exe62⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe63⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe66⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe67⤵PID:1168
-
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3672 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe70⤵PID:5052
-
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe72⤵PID:3696
-
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe73⤵PID:2260
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5012 -
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe75⤵PID:2072
-
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe76⤵PID:2588
-
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe77⤵PID:2680
-
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe78⤵PID:1644
-
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe80⤵PID:5164
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe81⤵PID:5208
-
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe82⤵PID:5248
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe83⤵PID:5296
-
C:\Windows\SysWOW64\Lacijjgi.exeC:\Windows\system32\Lacijjgi.exe84⤵PID:5336
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe85⤵
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe86⤵PID:5424
-
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe87⤵PID:5468
-
C:\Windows\SysWOW64\Llpchaqg.exeC:\Windows\system32\Llpchaqg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5512 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe89⤵PID:5556
-
C:\Windows\SysWOW64\Mociol32.exeC:\Windows\system32\Mociol32.exe90⤵PID:5596
-
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe92⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe93⤵PID:5728
-
C:\Windows\SysWOW64\Mojopk32.exeC:\Windows\system32\Mojopk32.exe94⤵PID:5768
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe95⤵PID:5816
-
C:\Windows\SysWOW64\Nefdbekh.exeC:\Windows\system32\Nefdbekh.exe96⤵PID:5856
-
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe97⤵PID:5900
-
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe98⤵PID:5948
-
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe99⤵PID:5992
-
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe100⤵PID:6036
-
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe101⤵PID:6076
-
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe103⤵PID:5136
-
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe104⤵PID:5240
-
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe105⤵PID:5304
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe106⤵PID:5412
-
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe107⤵PID:5544
-
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe108⤵PID:5688
-
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe111⤵PID:5984
-
C:\Windows\SysWOW64\Piaiqlak.exeC:\Windows\system32\Piaiqlak.exe112⤵
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe113⤵PID:4708
-
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe114⤵PID:1832
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe115⤵PID:5316
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe116⤵PID:5528
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe117⤵PID:5716
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe118⤵PID:5920
-
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe119⤵PID:6052
-
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe120⤵PID:4540
-
C:\Windows\SysWOW64\Almanf32.exeC:\Windows\system32\Almanf32.exe121⤵PID:5380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-