Analysis
-
max time kernel
158s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2024, 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe
-
Size
397KB
-
MD5
2195d09b4f1232ed9a30de75ce489390
-
SHA1
82c0226b0350127541aad5757990e5562ff078e8
-
SHA256
613fb4e475d4617bed687ab8ba96ae3b08523d84b146b20467cc7a6d39188cad
-
SHA512
0582dfb82dac61b59e464a16d854aae564e0c1d23c6f3188465d9195cec62cf2b52c538afcf46c7fe3efa472743e3052b49a0daff843bd57247bc6c77a6ff5e3
-
SSDEEP
12288:yoExBBWBBBBBBBBBBBBBBWBBBBBBBjBBBBBgeFB24lwR45FB24lzx1skz15L:ylPLPP1vzf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpghj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpggkbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obdbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kilpgnfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadoii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkpadga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehlhbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojajbdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjaefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhkmoifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcnfhmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglhei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poaqocgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goepgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amgefl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boqlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oplfekdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Goconkah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cebllbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioqohb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcqhcgqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fegiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niipdpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laiaqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgoflpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocqncp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmffhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaegqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkoaagmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpmofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chglkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckbegmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggkbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oagpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqoijcbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncifdlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmgmonma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjjnkkjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhjpnibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iciaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fejebdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fklcbocl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqndahiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkgckal.exe -
Executes dropped EXE 64 IoCs
pid Process 368 Qpmfklbq.exe 2324 Ckiipa32.exe 4924 Ccendc32.exe 4564 Cgbfka32.exe 3320 Dnhncjom.exe 1352 Dgcoaock.exe 4232 Enoddi32.exe 2444 Egjebn32.exe 4076 Eaegqc32.exe 4032 Fegiba32.exe 2880 Ghadjkhh.exe 4604 Hklpaeno.exe 4196 Ioqohb32.exe 3420 Iacepmik.exe 4348 Jamhflqq.exe 1860 Kkhidaeo.exe 3364 Loodqn32.exe 8 Lnikmjdm.exe 2752 Meepoc32.exe 5100 Mbpfig32.exe 516 Nfgbec32.exe 3980 Aljefena.exe 4644 Egiohh32.exe 464 Fnjmea32.exe 940 Gcqhcgqi.exe 3620 Gpjfng32.exe 5108 Hndibn32.exe 2060 Ikdlmmbh.exe 1004 Iobecl32.exe 3784 Jknocljn.exe 2864 Knenffqf.exe 924 Kknhjj32.exe 1392 Loqjlg32.exe 3336 Lnhdbc32.exe 1304 Mkoaagmh.exe 3696 Mnaghb32.exe 4456 Obdbqm32.exe 1908 Peajngoi.exe 4040 Cebllbcc.exe 2108 Dabpgbpm.exe 3896 Fjlmdmqj.exe 808 Fmmffhnk.exe 2540 Gmhfbf32.exe 4656 Gfqjkljn.exe 4560 Hfjmajbc.exe 752 Hbcklkee.exe 4176 Hfacai32.exe 2196 Jjoeoedo.exe 5016 Kanffogf.exe 2988 Kdophj32.exe 1468 Kgbepdpf.exe 4528 Lpocciba.exe 3656 Ldmlih32.exe 4216 Ldohogfe.exe 1792 Lacihleo.exe 4320 Mpmodg32.exe 4192 Nnhfokoc.exe 4612 Ngbgmpcq.exe 2256 Onceji32.exe 3628 Ocqncp32.exe 4792 Pqihgcma.exe 4052 Pbhdafdd.exe 3048 Pkebekgo.exe 1268 Qgopplkq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ampkil32.exe Pgefogop.exe File created C:\Windows\SysWOW64\Eckhkgmf.dll Qkhjim32.exe File opened for modification C:\Windows\SysWOW64\Pdkolm32.exe Pmlmdd32.exe File opened for modification C:\Windows\SysWOW64\Boqlqd32.exe Bdkgckal.exe File created C:\Windows\SysWOW64\Limmplda.dll Boqlqd32.exe File created C:\Windows\SysWOW64\Imdlgm32.exe Ipplmh32.exe File created C:\Windows\SysWOW64\Ckiipa32.exe Qpmfklbq.exe File created C:\Windows\SysWOW64\Ioqohb32.exe Hklpaeno.exe File created C:\Windows\SysWOW64\Iloimopp.exe Hmbflc32.exe File opened for modification C:\Windows\SysWOW64\Bochfc32.exe Bdndik32.exe File created C:\Windows\SysWOW64\Ffnkggld.exe Fejebdig.exe File created C:\Windows\SysWOW64\Cknqppmi.dll Lngkjhmi.exe File opened for modification C:\Windows\SysWOW64\Aapeakij.exe Qjfmda32.exe File created C:\Windows\SysWOW64\Baokejco.dll Eaegqc32.exe File opened for modification C:\Windows\SysWOW64\Cebllbcc.exe Peajngoi.exe File opened for modification C:\Windows\SysWOW64\Nneboemj.exe Mdhdkp32.exe File created C:\Windows\SysWOW64\Pomgcc32.exe Pokjnd32.exe File created C:\Windows\SysWOW64\Ekdanmkl.dll Pplcnf32.exe File opened for modification C:\Windows\SysWOW64\Hchickeo.exe Gpeclq32.exe File created C:\Windows\SysWOW64\Lnikmjdm.exe Loodqn32.exe File created C:\Windows\SysWOW64\Gpjfng32.exe Gcqhcgqi.exe File created C:\Windows\SysWOW64\Nflkkf32.exe Nqpccp32.exe File created C:\Windows\SysWOW64\Ocbhjjqn.exe Nglhei32.exe File created C:\Windows\SysWOW64\Pmnbpm32.exe Phajgf32.exe File opened for modification C:\Windows\SysWOW64\Ccinggcj.exe Bicjjncd.exe File created C:\Windows\SysWOW64\Ipmbcm32.exe Ijcjgcni.exe File created C:\Windows\SysWOW64\Fohkkdoe.dll Imdlgm32.exe File created C:\Windows\SysWOW64\Jpggfd32.dll Ehndhn32.exe File opened for modification C:\Windows\SysWOW64\Jjeflc32.exe Ipmbcm32.exe File created C:\Windows\SysWOW64\Hapelm32.dll Nclida32.exe File created C:\Windows\SysWOW64\Badofb32.dll Bkobfdao.exe File created C:\Windows\SysWOW64\Jlgeig32.exe Jleicg32.exe File created C:\Windows\SysWOW64\Noimeg32.dll Nipedokm.exe File opened for modification C:\Windows\SysWOW64\Iklgkmop.exe Idbonc32.exe File created C:\Windows\SysWOW64\Kpmmdl32.dll Ahofidlb.exe File created C:\Windows\SysWOW64\Cmmakp32.dll Dddlfa32.exe File created C:\Windows\SysWOW64\Nmbaggce.exe Mmkkgh32.exe File opened for modification C:\Windows\SysWOW64\Oloaamqf.exe Ojpdgjid.exe File created C:\Windows\SysWOW64\Akcjel32.exe Aepklffh.exe File opened for modification C:\Windows\SysWOW64\Kcpqafba.exe Kdfjej32.exe File opened for modification C:\Windows\SysWOW64\Bgimepmd.exe Baldmiom.exe File opened for modification C:\Windows\SysWOW64\Bngnmjql.exe Bgnfpp32.exe File created C:\Windows\SysWOW64\Pebfen32.exe Oookbega.exe File created C:\Windows\SysWOW64\Ginqph32.dll Dpnbhl32.exe File opened for modification C:\Windows\SysWOW64\Pjaciafc.exe Pdhklgnf.exe File opened for modification C:\Windows\SysWOW64\Anmfkane.exe Alkidi32.exe File opened for modification C:\Windows\SysWOW64\Bdndik32.exe Boqlqd32.exe File created C:\Windows\SysWOW64\Egjebn32.exe Enoddi32.exe File opened for modification C:\Windows\SysWOW64\Elienf32.exe Dbikdbnd.exe File created C:\Windows\SysWOW64\Hklpaeno.exe Ghadjkhh.exe File created C:\Windows\SysWOW64\Ihbcjk32.dll Ckbegmin.exe File opened for modification C:\Windows\SysWOW64\Jlgeig32.exe Jleicg32.exe File opened for modification C:\Windows\SysWOW64\Hbcklkee.exe Hfjmajbc.exe File opened for modification C:\Windows\SysWOW64\Ichkpb32.exe Iebnqofj.exe File created C:\Windows\SysWOW64\Hibape32.exe Hchickeo.exe File created C:\Windows\SysWOW64\Ekhncp32.exe Doanno32.exe File created C:\Windows\SysWOW64\Jhhnbpgb.dll Hfcnicjl.exe File created C:\Windows\SysWOW64\Ibmlfo32.dll Faeihogj.exe File created C:\Windows\SysWOW64\Ipmpcock.dll Qpmfklbq.exe File created C:\Windows\SysWOW64\Cpholohh.dll Didjkbim.exe File created C:\Windows\SysWOW64\Pokjnd32.exe Pebfen32.exe File opened for modification C:\Windows\SysWOW64\Doanno32.exe Digeaenp.exe File opened for modification C:\Windows\SysWOW64\Onceji32.exe Ngbgmpcq.exe File created C:\Windows\SysWOW64\Niipdpae.exe Nfhfbedd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5188 7296 WerFault.exe 485 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hajkjkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllhqkbm.dll" Iaodek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agjhadmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edhjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccbanfko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdldgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Akblpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnmblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmljo32.dll" Hajkjkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcngbcc.dll" Ieagfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdahga32.dll" Ccinggcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onohgh32.dll" Cmhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljeqcm32.dll" Ifplgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pieloojf.dll" Komhfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqkfapoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igbhpned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlfim32.dll" Bnkbmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imdlgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgiflnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnacqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgcoaock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgbepdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmlp32.dll" Pkebekgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppgeqijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkfbab32.dll" Mnaghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpbdfgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chlffghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdibgo32.dll" Hdgmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjmpi32.dll" Dieilepc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adfgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmngjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcpakgd.dll" Kihnfdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioakpf32.dll" Naodbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjgcbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojmqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aaenlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kknhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lacihleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjipj32.dll" Bjmnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecjhmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhjpnibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkpmbm32.dll" Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbgkm32.dll" Dbikdbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coadgacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afmmibga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpocciba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkno32.dll" Eekanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjaefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnldlfhp.dll" Ikmepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfgja32.dll" Oplfekdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akkfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfpfokfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfamk32.dll" Edhjji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpeclq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kejepfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kilpgnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbldhic.dll" Kcfgaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocbhjjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekhncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aampgb32.dll" Emoanbll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 368 1500 2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe 92 PID 1500 wrote to memory of 368 1500 2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe 92 PID 1500 wrote to memory of 368 1500 2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe 92 PID 368 wrote to memory of 2324 368 Qpmfklbq.exe 93 PID 368 wrote to memory of 2324 368 Qpmfklbq.exe 93 PID 368 wrote to memory of 2324 368 Qpmfklbq.exe 93 PID 2324 wrote to memory of 4924 2324 Ckiipa32.exe 94 PID 2324 wrote to memory of 4924 2324 Ckiipa32.exe 94 PID 2324 wrote to memory of 4924 2324 Ckiipa32.exe 94 PID 4924 wrote to memory of 4564 4924 Ccendc32.exe 95 PID 4924 wrote to memory of 4564 4924 Ccendc32.exe 95 PID 4924 wrote to memory of 4564 4924 Ccendc32.exe 95 PID 4564 wrote to memory of 3320 4564 Cgbfka32.exe 96 PID 4564 wrote to memory of 3320 4564 Cgbfka32.exe 96 PID 4564 wrote to memory of 3320 4564 Cgbfka32.exe 96 PID 3320 wrote to memory of 1352 3320 Dnhncjom.exe 97 PID 3320 wrote to memory of 1352 3320 Dnhncjom.exe 97 PID 3320 wrote to memory of 1352 3320 Dnhncjom.exe 97 PID 1352 wrote to memory of 4232 1352 Dgcoaock.exe 98 PID 1352 wrote to memory of 4232 1352 Dgcoaock.exe 98 PID 1352 wrote to memory of 4232 1352 Dgcoaock.exe 98 PID 4232 wrote to memory of 2444 4232 Enoddi32.exe 99 PID 4232 wrote to memory of 2444 4232 Enoddi32.exe 99 PID 4232 wrote to memory of 2444 4232 Enoddi32.exe 99 PID 2444 wrote to memory of 4076 2444 Egjebn32.exe 100 PID 2444 wrote to memory of 4076 2444 Egjebn32.exe 100 PID 2444 wrote to memory of 4076 2444 Egjebn32.exe 100 PID 4076 wrote to memory of 4032 4076 Eaegqc32.exe 101 PID 4076 wrote to memory of 4032 4076 Eaegqc32.exe 101 PID 4076 wrote to memory of 4032 4076 Eaegqc32.exe 101 PID 4032 wrote to memory of 2880 4032 Fegiba32.exe 102 PID 4032 wrote to memory of 2880 4032 Fegiba32.exe 102 PID 4032 wrote to memory of 2880 4032 Fegiba32.exe 102 PID 2880 wrote to memory of 4604 2880 Ghadjkhh.exe 103 PID 2880 wrote to memory of 4604 2880 Ghadjkhh.exe 103 PID 2880 wrote to memory of 4604 2880 Ghadjkhh.exe 103 PID 4604 wrote to memory of 4196 4604 Hklpaeno.exe 104 PID 4604 wrote to memory of 4196 4604 Hklpaeno.exe 104 PID 4604 wrote to memory of 4196 4604 Hklpaeno.exe 104 PID 4196 wrote to memory of 3420 4196 Ioqohb32.exe 105 PID 4196 wrote to memory of 3420 4196 Ioqohb32.exe 105 PID 4196 wrote to memory of 3420 4196 Ioqohb32.exe 105 PID 3420 wrote to memory of 4348 3420 Iacepmik.exe 106 PID 3420 wrote to memory of 4348 3420 Iacepmik.exe 106 PID 3420 wrote to memory of 4348 3420 Iacepmik.exe 106 PID 4348 wrote to memory of 1860 4348 Jamhflqq.exe 107 PID 4348 wrote to memory of 1860 4348 Jamhflqq.exe 107 PID 4348 wrote to memory of 1860 4348 Jamhflqq.exe 107 PID 1860 wrote to memory of 3364 1860 Kkhidaeo.exe 108 PID 1860 wrote to memory of 3364 1860 Kkhidaeo.exe 108 PID 1860 wrote to memory of 3364 1860 Kkhidaeo.exe 108 PID 3364 wrote to memory of 8 3364 Loodqn32.exe 109 PID 3364 wrote to memory of 8 3364 Loodqn32.exe 109 PID 3364 wrote to memory of 8 3364 Loodqn32.exe 109 PID 8 wrote to memory of 2752 8 Lnikmjdm.exe 110 PID 8 wrote to memory of 2752 8 Lnikmjdm.exe 110 PID 8 wrote to memory of 2752 8 Lnikmjdm.exe 110 PID 2752 wrote to memory of 5100 2752 Meepoc32.exe 111 PID 2752 wrote to memory of 5100 2752 Meepoc32.exe 111 PID 2752 wrote to memory of 5100 2752 Meepoc32.exe 111 PID 5100 wrote to memory of 516 5100 Mbpfig32.exe 112 PID 5100 wrote to memory of 516 5100 Mbpfig32.exe 112 PID 5100 wrote to memory of 516 5100 Mbpfig32.exe 112 PID 516 wrote to memory of 3980 516 Nfgbec32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2195d09b4f1232ed9a30de75ce489390_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Qpmfklbq.exeC:\Windows\system32\Qpmfklbq.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Ccendc32.exeC:\Windows\system32\Ccendc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Dgcoaock.exeC:\Windows\system32\Dgcoaock.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Enoddi32.exeC:\Windows\system32\Enoddi32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Fegiba32.exeC:\Windows\system32\Fegiba32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ghadjkhh.exeC:\Windows\system32\Ghadjkhh.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Ioqohb32.exeC:\Windows\system32\Ioqohb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Iacepmik.exeC:\Windows\system32\Iacepmik.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Kkhidaeo.exeC:\Windows\system32\Kkhidaeo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Lnikmjdm.exeC:\Windows\system32\Lnikmjdm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Meepoc32.exeC:\Windows\system32\Meepoc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Mbpfig32.exeC:\Windows\system32\Mbpfig32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Nfgbec32.exeC:\Windows\system32\Nfgbec32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\Aljefena.exeC:\Windows\system32\Aljefena.exe23⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Egiohh32.exeC:\Windows\system32\Egiohh32.exe24⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Gcqhcgqi.exeC:\Windows\system32\Gcqhcgqi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe27⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Hndibn32.exeC:\Windows\system32\Hndibn32.exe28⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe29⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Iobecl32.exeC:\Windows\system32\Iobecl32.exe30⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Jknocljn.exeC:\Windows\system32\Jknocljn.exe31⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Loqjlg32.exeC:\Windows\system32\Loqjlg32.exe34⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Lnhdbc32.exeC:\Windows\system32\Lnhdbc32.exe35⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Mkoaagmh.exeC:\Windows\system32\Mkoaagmh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Mnaghb32.exeC:\Windows\system32\Mnaghb32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3696 -
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Peajngoi.exeC:\Windows\system32\Peajngoi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Cebllbcc.exeC:\Windows\system32\Cebllbcc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Dabpgbpm.exeC:\Windows\system32\Dabpgbpm.exe41⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fjlmdmqj.exeC:\Windows\system32\Fjlmdmqj.exe42⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Fmmffhnk.exeC:\Windows\system32\Fmmffhnk.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Gmhfbf32.exeC:\Windows\system32\Gmhfbf32.exe44⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Gfqjkljn.exeC:\Windows\system32\Gfqjkljn.exe45⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Hfjmajbc.exeC:\Windows\system32\Hfjmajbc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4560 -
C:\Windows\SysWOW64\Hbcklkee.exeC:\Windows\system32\Hbcklkee.exe47⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Hfacai32.exeC:\Windows\system32\Hfacai32.exe48⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Jjoeoedo.exeC:\Windows\system32\Jjoeoedo.exe49⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Kanffogf.exeC:\Windows\system32\Kanffogf.exe50⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Kdophj32.exeC:\Windows\system32\Kdophj32.exe51⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Kgbepdpf.exeC:\Windows\system32\Kgbepdpf.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Lpocciba.exeC:\Windows\system32\Lpocciba.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4528 -
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe54⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ldohogfe.exeC:\Windows\system32\Ldohogfe.exe55⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Lacihleo.exeC:\Windows\system32\Lacihleo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Mpmodg32.exeC:\Windows\system32\Mpmodg32.exe57⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Nnhfokoc.exeC:\Windows\system32\Nnhfokoc.exe58⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Ngbgmpcq.exeC:\Windows\system32\Ngbgmpcq.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Onceji32.exeC:\Windows\system32\Onceji32.exe60⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ocqncp32.exeC:\Windows\system32\Ocqncp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Pqihgcma.exeC:\Windows\system32\Pqihgcma.exe62⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Pbhdafdd.exeC:\Windows\system32\Pbhdafdd.exe63⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Pkebekgo.exeC:\Windows\system32\Pkebekgo.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Qgopplkq.exeC:\Windows\system32\Qgopplkq.exe65⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Bniacddk.exeC:\Windows\system32\Bniacddk.exe66⤵PID:1652
-
C:\Windows\SysWOW64\Dkjmea32.exeC:\Windows\system32\Dkjmea32.exe67⤵PID:852
-
C:\Windows\SysWOW64\Ecjhmm32.exeC:\Windows\system32\Ecjhmm32.exe68⤵
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Eekanh32.exeC:\Windows\system32\Eekanh32.exe69⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Fadoii32.exeC:\Windows\system32\Fadoii32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Fklcbocl.exeC:\Windows\system32\Fklcbocl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4464 -
C:\Windows\SysWOW64\Flnlaahl.exeC:\Windows\system32\Flnlaahl.exe72⤵PID:5044
-
C:\Windows\SysWOW64\Fhemfbnq.exeC:\Windows\system32\Fhemfbnq.exe73⤵PID:2996
-
C:\Windows\SysWOW64\Goconkah.exeC:\Windows\system32\Goconkah.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Hdgmga32.exeC:\Windows\system32\Hdgmga32.exe75⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Hoonjjgk.exeC:\Windows\system32\Hoonjjgk.exe76⤵PID:2124
-
C:\Windows\SysWOW64\Hmcocn32.exeC:\Windows\system32\Hmcocn32.exe77⤵PID:5084
-
C:\Windows\SysWOW64\Ifplgc32.exeC:\Windows\system32\Ifplgc32.exe78⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Ikmepj32.exeC:\Windows\system32\Ikmepj32.exe79⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Jpbdfgge.exeC:\Windows\system32\Jpbdfgge.exe80⤵
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Jijhom32.exeC:\Windows\system32\Jijhom32.exe81⤵PID:3976
-
C:\Windows\SysWOW64\Kboldq32.exeC:\Windows\system32\Kboldq32.exe82⤵PID:3520
-
C:\Windows\SysWOW64\Mdhdkp32.exeC:\Windows\system32\Mdhdkp32.exe83⤵
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Nneboemj.exeC:\Windows\system32\Nneboemj.exe84⤵PID:2656
-
C:\Windows\SysWOW64\Ocmjcjad.exeC:\Windows\system32\Ocmjcjad.exe85⤵PID:512
-
C:\Windows\SysWOW64\Ocpghj32.exeC:\Windows\system32\Ocpghj32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Odocbmfd.exeC:\Windows\system32\Odocbmfd.exe87⤵PID:1080
-
C:\Windows\SysWOW64\Oqfdgn32.exeC:\Windows\system32\Oqfdgn32.exe88⤵PID:4424
-
C:\Windows\SysWOW64\Pgpmdh32.exeC:\Windows\system32\Pgpmdh32.exe89⤵PID:2120
-
C:\Windows\SysWOW64\Pjaefc32.exeC:\Windows\system32\Pjaefc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Pgefogop.exeC:\Windows\system32\Pgefogop.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Ampkil32.exeC:\Windows\system32\Ampkil32.exe92⤵PID:2752
-
C:\Windows\SysWOW64\Aancojgn.exeC:\Windows\system32\Aancojgn.exe93⤵PID:1184
-
C:\Windows\SysWOW64\Amdddkma.exeC:\Windows\system32\Amdddkma.exe94⤵PID:5032
-
C:\Windows\SysWOW64\Agjhadmh.exeC:\Windows\system32\Agjhadmh.exe95⤵
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Bjmnho32.exeC:\Windows\system32\Bjmnho32.exe96⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Bmngjj32.exeC:\Windows\system32\Bmngjj32.exe97⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Cjmgomjc.exeC:\Windows\system32\Cjmgomjc.exe98⤵PID:5136
-
C:\Windows\SysWOW64\Dodbkiho.exeC:\Windows\system32\Dodbkiho.exe99⤵PID:5212
-
C:\Windows\SysWOW64\Fhdfll32.exeC:\Windows\system32\Fhdfll32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Inpclnnj.exeC:\Windows\system32\Inpclnnj.exe101⤵PID:5388
-
C:\Windows\SysWOW64\Inbpbnlg.exeC:\Windows\system32\Inbpbnlg.exe102⤵PID:5472
-
C:\Windows\SysWOW64\Jpffgp32.exeC:\Windows\system32\Jpffgp32.exe103⤵PID:5524
-
C:\Windows\SysWOW64\Jiokpfee.exeC:\Windows\system32\Jiokpfee.exe104⤵PID:5568
-
C:\Windows\SysWOW64\Jnkchmdl.exeC:\Windows\system32\Jnkchmdl.exe105⤵PID:5628
-
C:\Windows\SysWOW64\Jbilnkjc.exeC:\Windows\system32\Jbilnkjc.exe106⤵PID:5680
-
C:\Windows\SysWOW64\Kejepfgd.exeC:\Windows\system32\Kejepfgd.exe107⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Kihnfdmj.exeC:\Windows\system32\Kihnfdmj.exe108⤵
- Modifies registry class
PID:5772 -
C:\Windows\SysWOW64\Lfcdph32.exeC:\Windows\system32\Lfcdph32.exe109⤵PID:5872
-
C:\Windows\SysWOW64\Mhgfdmle.exeC:\Windows\system32\Mhgfdmle.exe110⤵PID:5944
-
C:\Windows\SysWOW64\Nfhfbedd.exeC:\Windows\system32\Nfhfbedd.exe111⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Niipdpae.exeC:\Windows\system32\Niipdpae.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6052 -
C:\Windows\SysWOW64\Neppiagi.exeC:\Windows\system32\Neppiagi.exe113⤵PID:6124
-
C:\Windows\SysWOW64\Npgalidl.exeC:\Windows\system32\Npgalidl.exe114⤵PID:5164
-
C:\Windows\SysWOW64\Nipedokm.exeC:\Windows\system32\Nipedokm.exe115⤵
- Drops file in System32 directory
PID:5204 -
C:\Windows\SysWOW64\Oookbega.exeC:\Windows\system32\Oookbega.exe116⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Pebfen32.exeC:\Windows\system32\Pebfen32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Pokjnd32.exeC:\Windows\system32\Pokjnd32.exe118⤵
- Drops file in System32 directory
PID:5316 -
C:\Windows\SysWOW64\Pomgcc32.exeC:\Windows\system32\Pomgcc32.exe119⤵PID:5376
-
C:\Windows\SysWOW64\Pplcnf32.exeC:\Windows\system32\Pplcnf32.exe120⤵
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Pfilfm32.exeC:\Windows\system32\Pfilfm32.exe121⤵PID:5488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-