Analysis
-
max time kernel
96s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
-
Size
192KB
-
MD5
20c430090dc2b47ded461c738479c0f0
-
SHA1
e08ebd836b3977daa8623d4ab2576b28f4ee0f99
-
SHA256
420e8fdcefc2bea9d25601137938b54055911a6948448d6efab39d9d3a128925
-
SHA512
09e95cf36e2a91a8c8bb8e1b8bdccdc0c6b4dd6c9733723f09fab393c20d7cd119f9b94eb6c30e89677090d2ebe0c6a2472ab30c079a9ca4d400c92aba4f484b
-
SSDEEP
3072:cNTSH6uLkg4YsbSry3RHtqk3vN6outkTy27zU:wTg4h3RNqIl6oSkTl7zU
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjjln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klibdcjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipjokik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkhkflh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flaaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poelfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nockkcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpqgbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldjnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngaabfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obfhmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdmfljb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbkipk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebjokda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbjhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilpfgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jliimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfmapqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpapiipo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offeahhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcgii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqjolfda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfqoici.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldeonbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmamba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpbaga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gngeik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meoggpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jliimf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmqoqbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immaimnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcepem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jloibkhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpinac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllble32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doageg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfdcgkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmamba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgnffp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaljaoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphmbjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehbgjenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klgqmfpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkpbpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmnkdfce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gokmfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjcne32.exe -
Executes dropped EXE 64 IoCs
pid Process 3236 Egcaod32.exe 4540 Gkdpbpih.exe 4848 Gngeik32.exe 3536 Hbenoi32.exe 1868 Halhfe32.exe 4548 Ilibdmgp.exe 5612 Ihbponja.exe 5452 Jocnlg32.exe 1964 Jeapcq32.exe 5332 Klndfj32.exe 5396 Kekbjo32.exe 4676 Lpepbgbd.exe 1960 Lhenai32.exe 4640 Mlhqcgnk.exe 5964 Mqhfoebo.exe 5972 Nblolm32.exe 5500 Nqoloc32.exe 2188 Ncbafoge.exe 2704 Opbean32.exe 1320 Pbcncibp.exe 5268 Pmmlla32.exe 5384 Pfepdg32.exe 1056 Pblajhje.exe 4560 Qclmck32.exe 5848 Abcgjg32.exe 116 Aplaoj32.exe 4612 Bdocph32.exe 888 Cacmpj32.exe 2208 Dajbaika.exe 5000 Djgdkk32.exe 2000 Edaaccbj.exe 5008 Fnalmh32.exe 2600 Fcpakn32.exe 496 Gbbkocid.exe 2832 Halaloif.exe 3396 Icogcjde.exe 5180 Iabglnco.exe 3952 Inkaqb32.exe 5144 Jaljbmkd.exe 5164 Jhkljfok.exe 2324 Jacpcl32.exe 5040 Jbbmmo32.exe 1376 Jjnaaa32.exe 4072 Khabke32.exe 6004 Kbgfhnhi.exe 4420 Logicn32.exe 3984 Lojfin32.exe 2220 Ldfoad32.exe 5280 Lbhool32.exe 1976 Lamlphoo.exe 4260 Mkepineo.exe 5048 Maoifh32.exe 5604 Mcoepkdo.exe 5572 Mdpagc32.exe 6072 Moefdljc.exe 5368 Mdbnmbhj.exe 4408 Mebkge32.exe 1796 Nhbciqln.exe 5920 Ndidna32.exe 5888 Napameoi.exe 3592 Ndpjnq32.exe 3960 Obfhmd32.exe 3732 Obidcdfo.exe 4480 Okfbgiij.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eiobbgcl.exe Eoindndf.exe File created C:\Windows\SysWOW64\Akgcdc32.exe Apaofk32.exe File opened for modification C:\Windows\SysWOW64\Ekqcfpmj.exe Ehbgjenf.exe File created C:\Windows\SysWOW64\Napameoi.exe Ndidna32.exe File created C:\Windows\SysWOW64\Ohjmmjng.dll Gnckooob.exe File created C:\Windows\SysWOW64\Glkdejcd.exe Gmjcgb32.exe File created C:\Windows\SysWOW64\Nkeado32.dll Gbenjm32.exe File created C:\Windows\SysWOW64\Hmdend32.exe Hboaql32.exe File created C:\Windows\SysWOW64\Ndpjnq32.exe Napameoi.exe File created C:\Windows\SysWOW64\Aijdpd32.dll Cpklql32.exe File created C:\Windows\SysWOW64\Gqdbbelf.exe Gjjjfkdj.exe File opened for modification C:\Windows\SysWOW64\Adockl32.exe Anbkbe32.exe File opened for modification C:\Windows\SysWOW64\Baocpnmf.exe Bdkbgj32.exe File created C:\Windows\SysWOW64\Ljiochji.dll Cjfclcpg.exe File created C:\Windows\SysWOW64\Fflpgl32.dll Bimoecio.exe File created C:\Windows\SysWOW64\Bekfcj32.dll Aejfjocb.exe File opened for modification C:\Windows\SysWOW64\Fklcbocl.exe Fdbked32.exe File created C:\Windows\SysWOW64\Nejbaqgo.exe Nnpjdfpb.exe File created C:\Windows\SysWOW64\Oeoklp32.exe Onecof32.exe File created C:\Windows\SysWOW64\Ejiqom32.exe Ecphbckp.exe File created C:\Windows\SysWOW64\Mkpglqgj.exe Mpkbohhd.exe File created C:\Windows\SysWOW64\Elmoqj32.dll Jhkljfok.exe File created C:\Windows\SysWOW64\Djdlpdhq.dll Bqbohocd.exe File created C:\Windows\SysWOW64\Nmeikqpi.dll Headon32.exe File opened for modification C:\Windows\SysWOW64\Ilpfgg32.exe Iefnjm32.exe File opened for modification C:\Windows\SysWOW64\Jfoihalp.exe Jlidkh32.exe File created C:\Windows\SysWOW64\Hqcqdk32.dll Pdeffgff.exe File created C:\Windows\SysWOW64\Jegmfd32.dll Fhiinbdo.exe File opened for modification C:\Windows\SysWOW64\Ikmpcicg.exe Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Apnkfelb.exe Aeigilml.exe File created C:\Windows\SysWOW64\Hjfplo32.exe Hhhdpd32.exe File created C:\Windows\SysWOW64\Eihijk32.dll Foifmcoa.exe File created C:\Windows\SysWOW64\Mbcjimda.exe Mmfaafej.exe File created C:\Windows\SysWOW64\Hpenpp32.exe Hfljfjpq.exe File opened for modification C:\Windows\SysWOW64\Qcepem32.exe Qkjlpk32.exe File created C:\Windows\SysWOW64\Baekjn32.dll Hcpcehko.exe File opened for modification C:\Windows\SysWOW64\Jpgmaf32.exe Jmhaek32.exe File created C:\Windows\SysWOW64\Deocpk32.dll Halhfe32.exe File created C:\Windows\SysWOW64\Mnfgko32.dll Kekbjo32.exe File opened for modification C:\Windows\SysWOW64\Npjnbg32.exe Nipffmmg.exe File created C:\Windows\SysWOW64\Fclohg32.exe Fjcjpb32.exe File opened for modification C:\Windows\SysWOW64\Eplckh32.exe Efgono32.exe File created C:\Windows\SysWOW64\Qcepem32.exe Qkjlpk32.exe File created C:\Windows\SysWOW64\Bmgjnl32.dll Opbean32.exe File created C:\Windows\SysWOW64\Ecoaijio.exe Deidjf32.exe File created C:\Windows\SysWOW64\Gglpgd32.exe Gnckooob.exe File opened for modification C:\Windows\SysWOW64\Flghognq.exe Fcodfa32.exe File opened for modification C:\Windows\SysWOW64\Kbfjljhf.exe Klibdcjo.exe File opened for modification C:\Windows\SysWOW64\Liimgh32.exe Lboeknkf.exe File created C:\Windows\SysWOW64\Ganikk32.dll Dlijodjd.exe File created C:\Windows\SysWOW64\Ljeqcm32.dll Ifplgc32.exe File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Qclmck32.exe File opened for modification C:\Windows\SysWOW64\Cifmoa32.exe Cblebgfh.exe File created C:\Windows\SysWOW64\Dkgeao32.exe Dmfecgim.exe File opened for modification C:\Windows\SysWOW64\Kdpmmf32.exe Kkhidaeo.exe File opened for modification C:\Windows\SysWOW64\Qkjlpk32.exe Pjkofh32.exe File created C:\Windows\SysWOW64\Bdkbgj32.exe Bjbnndgl.exe File created C:\Windows\SysWOW64\Nblolm32.exe Mqhfoebo.exe File created C:\Windows\SysWOW64\Bdocph32.exe Aplaoj32.exe File opened for modification C:\Windows\SysWOW64\Ndjldo32.exe Nidhffef.exe File opened for modification C:\Windows\SysWOW64\Cfmahknh.exe Cpcila32.exe File created C:\Windows\SysWOW64\Efampahd.exe Efopjbjg.exe File created C:\Windows\SysWOW64\Emdplb32.dll Lpbokjho.exe File created C:\Windows\SysWOW64\Bloikp32.dll Cjdfgc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kingpj32.dll" Ilbnkiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lamlphoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikepce32.dll" Hmcfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clldhljp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeomfioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnaef32.dll" Mdcmnfop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkcjjhgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onbpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfefqc.dll" Qbekgknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghdhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joaojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfcmf32.dll" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bllble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfca32.dll" Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlegjk32.dll" Ddpeigle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcfqoici.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afboah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljmka32.dll" Hhaope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbfbj32.dll" Bedgejbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaklcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclnkgap.dll" Fdiafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjgegjko.dll" Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lopkkdgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fblldn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcbikd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eahomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlpff32.dll" Mgagll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecjpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beefhclj.dll" Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geklckkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcnbekok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bleebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acbmjcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcanmlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmapl32.dll" Oigdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gimoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklomnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimmkk32.dll" Kfpjgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meobeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlegokbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Foenplji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfcbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hijohoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldmdk32.dll" Eglkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dabpgbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelnpk32.dll" Ajphagha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbabpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdalkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pohnnqgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldgmleom.dll" Focakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdkig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3812 wrote to memory of 3236 3812 20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe 91 PID 3812 wrote to memory of 3236 3812 20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe 91 PID 3812 wrote to memory of 3236 3812 20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe 91 PID 3236 wrote to memory of 4540 3236 Egcaod32.exe 92 PID 3236 wrote to memory of 4540 3236 Egcaod32.exe 92 PID 3236 wrote to memory of 4540 3236 Egcaod32.exe 92 PID 4540 wrote to memory of 4848 4540 Gkdpbpih.exe 93 PID 4540 wrote to memory of 4848 4540 Gkdpbpih.exe 93 PID 4540 wrote to memory of 4848 4540 Gkdpbpih.exe 93 PID 4848 wrote to memory of 3536 4848 Gngeik32.exe 94 PID 4848 wrote to memory of 3536 4848 Gngeik32.exe 94 PID 4848 wrote to memory of 3536 4848 Gngeik32.exe 94 PID 3536 wrote to memory of 1868 3536 Hbenoi32.exe 95 PID 3536 wrote to memory of 1868 3536 Hbenoi32.exe 95 PID 3536 wrote to memory of 1868 3536 Hbenoi32.exe 95 PID 1868 wrote to memory of 4548 1868 Halhfe32.exe 96 PID 1868 wrote to memory of 4548 1868 Halhfe32.exe 96 PID 1868 wrote to memory of 4548 1868 Halhfe32.exe 96 PID 4548 wrote to memory of 5612 4548 Ilibdmgp.exe 97 PID 4548 wrote to memory of 5612 4548 Ilibdmgp.exe 97 PID 4548 wrote to memory of 5612 4548 Ilibdmgp.exe 97 PID 5612 wrote to memory of 5452 5612 Ihbponja.exe 98 PID 5612 wrote to memory of 5452 5612 Ihbponja.exe 98 PID 5612 wrote to memory of 5452 5612 Ihbponja.exe 98 PID 5452 wrote to memory of 1964 5452 Jocnlg32.exe 99 PID 5452 wrote to memory of 1964 5452 Jocnlg32.exe 99 PID 5452 wrote to memory of 1964 5452 Jocnlg32.exe 99 PID 1964 wrote to memory of 5332 1964 Jeapcq32.exe 100 PID 1964 wrote to memory of 5332 1964 Jeapcq32.exe 100 PID 1964 wrote to memory of 5332 1964 Jeapcq32.exe 100 PID 5332 wrote to memory of 5396 5332 Klndfj32.exe 101 PID 5332 wrote to memory of 5396 5332 Klndfj32.exe 101 PID 5332 wrote to memory of 5396 5332 Klndfj32.exe 101 PID 5396 wrote to memory of 4676 5396 Kekbjo32.exe 102 PID 5396 wrote to memory of 4676 5396 Kekbjo32.exe 102 PID 5396 wrote to memory of 4676 5396 Kekbjo32.exe 102 PID 4676 wrote to memory of 1960 4676 Lpepbgbd.exe 103 PID 4676 wrote to memory of 1960 4676 Lpepbgbd.exe 103 PID 4676 wrote to memory of 1960 4676 Lpepbgbd.exe 103 PID 1960 wrote to memory of 4640 1960 Lhenai32.exe 104 PID 1960 wrote to memory of 4640 1960 Lhenai32.exe 104 PID 1960 wrote to memory of 4640 1960 Lhenai32.exe 104 PID 4640 wrote to memory of 5964 4640 Mlhqcgnk.exe 105 PID 4640 wrote to memory of 5964 4640 Mlhqcgnk.exe 105 PID 4640 wrote to memory of 5964 4640 Mlhqcgnk.exe 105 PID 5964 wrote to memory of 5972 5964 Mqhfoebo.exe 106 PID 5964 wrote to memory of 5972 5964 Mqhfoebo.exe 106 PID 5964 wrote to memory of 5972 5964 Mqhfoebo.exe 106 PID 5972 wrote to memory of 5500 5972 Nblolm32.exe 107 PID 5972 wrote to memory of 5500 5972 Nblolm32.exe 107 PID 5972 wrote to memory of 5500 5972 Nblolm32.exe 107 PID 5500 wrote to memory of 2188 5500 Nqoloc32.exe 108 PID 5500 wrote to memory of 2188 5500 Nqoloc32.exe 108 PID 5500 wrote to memory of 2188 5500 Nqoloc32.exe 108 PID 2188 wrote to memory of 2704 2188 Ncbafoge.exe 109 PID 2188 wrote to memory of 2704 2188 Ncbafoge.exe 109 PID 2188 wrote to memory of 2704 2188 Ncbafoge.exe 109 PID 2704 wrote to memory of 1320 2704 Opbean32.exe 110 PID 2704 wrote to memory of 1320 2704 Opbean32.exe 110 PID 2704 wrote to memory of 1320 2704 Opbean32.exe 110 PID 1320 wrote to memory of 5268 1320 Pbcncibp.exe 111 PID 1320 wrote to memory of 5268 1320 Pbcncibp.exe 111 PID 1320 wrote to memory of 5268 1320 Pbcncibp.exe 111 PID 5268 wrote to memory of 5384 5268 Pmmlla32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Hbenoi32.exeC:\Windows\system32\Hbenoi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5612 -
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5452 -
C:\Windows\SysWOW64\Jeapcq32.exeC:\Windows\system32\Jeapcq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Windows\SysWOW64\Kekbjo32.exeC:\Windows\system32\Kekbjo32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Lhenai32.exeC:\Windows\system32\Lhenai32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5964 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5972 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\SysWOW64\Ncbafoge.exeC:\Windows\system32\Ncbafoge.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5268 -
C:\Windows\SysWOW64\Pfepdg32.exeC:\Windows\system32\Pfepdg32.exe23⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe24⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe26⤵
- Executes dropped EXE
PID:5848 -
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe28⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe29⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe30⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe32⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe33⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe35⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe36⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe37⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe38⤵
- Executes dropped EXE
PID:5180 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe39⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe40⤵
- Executes dropped EXE
PID:5144 -
C:\Windows\SysWOW64\Jhkljfok.exeC:\Windows\system32\Jhkljfok.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe42⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe43⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe44⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Khabke32.exeC:\Windows\system32\Khabke32.exe45⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe46⤵
- Executes dropped EXE
PID:6004 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe47⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe48⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe49⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe50⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe52⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe53⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe54⤵
- Executes dropped EXE
PID:5604 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe56⤵
- Executes dropped EXE
PID:6072 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe57⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe58⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe59⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe62⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe64⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe65⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe66⤵PID:528
-
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe67⤵PID:4256
-
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe68⤵PID:5400
-
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe69⤵PID:2120
-
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe70⤵PID:3784
-
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe71⤵PID:3076
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe72⤵PID:4160
-
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe73⤵PID:1996
-
C:\Windows\SysWOW64\Acbmjcgd.exeC:\Windows\system32\Acbmjcgd.exe74⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe75⤵PID:3936
-
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe76⤵PID:5060
-
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe77⤵PID:5176
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe78⤵PID:4764
-
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe79⤵PID:820
-
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe80⤵PID:6052
-
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe81⤵PID:1416
-
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe82⤵PID:3400
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe83⤵PID:4884
-
C:\Windows\SysWOW64\Cifdjg32.exeC:\Windows\system32\Cifdjg32.exe84⤵PID:1836
-
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe85⤵PID:4376
-
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe86⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe87⤵PID:2676
-
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe88⤵PID:972
-
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe89⤵PID:5556
-
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe90⤵PID:5780
-
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe91⤵PID:628
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe92⤵
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe93⤵PID:5996
-
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe94⤵PID:5488
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe95⤵PID:3080
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe96⤵PID:5876
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe97⤵PID:2440
-
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe98⤵PID:228
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe99⤵PID:5132
-
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe100⤵PID:1752
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe101⤵PID:5196
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe102⤵PID:5360
-
C:\Windows\SysWOW64\Gddqejni.exeC:\Windows\system32\Gddqejni.exe103⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe104⤵PID:5084
-
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe105⤵PID:4372
-
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe106⤵PID:4992
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe107⤵PID:2988
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe108⤵PID:5628
-
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe109⤵
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe110⤵PID:1956
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe111⤵PID:4020
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe112⤵PID:4076
-
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe113⤵PID:5788
-
C:\Windows\SysWOW64\Hnjaonij.exeC:\Windows\system32\Hnjaonij.exe114⤵PID:4452
-
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe115⤵PID:4788
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe116⤵PID:2040
-
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe117⤵PID:3232
-
C:\Windows\SysWOW64\Ifjoop32.exeC:\Windows\system32\Ifjoop32.exe118⤵PID:2900
-
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe119⤵PID:5136
-
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe120⤵PID:5776
-
C:\Windows\SysWOW64\Iqbpahpc.exeC:\Windows\system32\Iqbpahpc.exe121⤵PID:3876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-