Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 18:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe
-
Size
483KB
-
MD5
03318d9f5be63cea2f0ab741742ef190
-
SHA1
de8f6806281e77482812dbf36bd7d8b006b7d8e9
-
SHA256
5719866545153c56cb044456cea4ff750bbea7f68bb40a823af20d7d848d0f75
-
SHA512
20c73071123afae6e4fdee611463bbdfc3ba24c1a37817f110430386a37caf12ffecd09e97b1a67e408fdc0ae014da5c18ef064b17b17c1f02fddd54a0205039
-
SSDEEP
6144:Y2l7wALpUJKtFy5v1k3RMZebBDRMZebBGzxUur/THL1k3RMZebBvG0NPhGcRPTD7:RsMpVtY5vARM0RM/3ARMSG0dhvARMoHG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcidmkpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjchgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdjehhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhijepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdmbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeekkafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoofle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfipef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daconoae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhmnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpiogmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khmknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccchof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgeee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqegecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnckpmql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocffempp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phedhmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eachem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcdqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjchaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedafk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjhgngj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbfodfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpgckkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhnaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihphkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikcmbfcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghjhemo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecofa32.exe -
Executes dropped EXE 64 IoCs
pid Process 1680 Ambgef32.exe 3324 Aeiofcji.exe 2016 Amddjegd.exe 3800 Aqppkd32.exe 2028 Agjhgngj.exe 2636 Acqimo32.exe 4168 Afoeiklb.exe 4024 Anfmjhmd.exe 3312 Aminee32.exe 1168 Aepefb32.exe 3152 Bnhjohkb.exe 3240 Bebblb32.exe 1536 Bfdodjhm.exe 848 Beeoaapl.exe 4504 Bgcknmop.exe 4412 Bmpcfdmg.exe 4608 Bcjlcn32.exe 1320 Bfhhoi32.exe 5076 Beihma32.exe 2128 Bhhdil32.exe 220 Bapiabak.exe 3040 Chjaol32.exe 1712 Cfmajipb.exe 512 Cenahpha.exe 4600 Cfpnph32.exe 2492 Caebma32.exe 1284 Chokikeb.exe 2932 Cnicfe32.exe 2964 Chagok32.exe 5108 Cjpckf32.exe 1940 Cajlhqjp.exe 4828 Cdhhdlid.exe 2340 Cjbpaf32.exe 4928 Calhnpgn.exe 4948 Dfiafg32.exe 4836 Dopigd32.exe 3548 Danecp32.exe 2628 Dhhnpjmh.exe 548 Djgjlelk.exe 916 Dmefhako.exe 2756 Dhkjej32.exe 5024 Dodbbdbb.exe 3208 Daconoae.exe 3252 Ddakjkqi.exe 3752 Dfpgffpm.exe 3372 Dogogcpo.exe 2372 Deagdn32.exe 4648 Dknpmdfc.exe 5104 Dahhio32.exe 2284 Eecdjmfi.exe 5056 Egdqae32.exe 2336 Emoinpcd.exe 2300 Eefaomcg.exe 1056 Ekbihd32.exe 4076 Ealadnik.exe 5084 Edknqiho.exe 3292 Egijmegb.exe 1052 Eopbnbhd.exe 4756 Eejjjl32.exe 3928 Ehiffh32.exe 2736 Ekgbccni.exe 4672 Eobocb32.exe 4484 Eaakpm32.exe 1080 Edpgli32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Plbmokop.exe Pidabppl.exe File opened for modification C:\Windows\SysWOW64\Bfngdn32.exe Akhcfe32.exe File created C:\Windows\SysWOW64\Enigke32.exe Eofgpikj.exe File created C:\Windows\SysWOW64\Mlmlcjoo.dll Jdnoplhh.exe File created C:\Windows\SysWOW64\Liqihglg.exe Lbgalmej.exe File created C:\Windows\SysWOW64\Ccpdoqgd.exe Cijpahho.exe File created C:\Windows\SysWOW64\Aafemk32.exe Aogiap32.exe File created C:\Windows\SysWOW64\Kghfphob.dll Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Kjeiodek.exe Kckqbj32.exe File created C:\Windows\SysWOW64\Lnjgfb32.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Afghneoo.exe Aqkpeopg.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Ljhnlb32.exe File created C:\Windows\SysWOW64\Mglfplgk.exe Mcqjon32.exe File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe Bomkcm32.exe File created C:\Windows\SysWOW64\Jobfelii.dll Jpenfp32.exe File opened for modification C:\Windows\SysWOW64\Njhgbp32.exe Ncnofeof.exe File created C:\Windows\SysWOW64\Dahhio32.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Kbekqdjh.exe Knippe32.exe File created C:\Windows\SysWOW64\Mffjcopi.exe Mbjnbqhp.exe File opened for modification C:\Windows\SysWOW64\Npgabc32.exe Nhpiafnm.exe File created C:\Windows\SysWOW64\Oofaiokl.exe Oiihahme.exe File created C:\Windows\SysWOW64\Amhfkopc.exe Afnnnd32.exe File created C:\Windows\SysWOW64\Fjjcdn32.dll Fielph32.exe File created C:\Windows\SysWOW64\Hnaqgd32.exe Hgghjjid.exe File created C:\Windows\SysWOW64\Eaakpm32.exe Eobocb32.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pjkmomfn.exe File created C:\Windows\SysWOW64\Akdilipp.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Ihphkl32.exe Iddljmpc.exe File created C:\Windows\SysWOW64\Bilqdmae.dll Cjomap32.exe File created C:\Windows\SysWOW64\Lpekef32.exe Llipehgk.exe File created C:\Windows\SysWOW64\Hphlgp32.dll Cflkpblf.exe File created C:\Windows\SysWOW64\Lgcjdd32.exe Liqihglg.exe File created C:\Windows\SysWOW64\Qglmjp32.dll Fcniglmb.exe File created C:\Windows\SysWOW64\Momkkhch.dll Fibhpbea.exe File created C:\Windows\SysWOW64\Njinmf32.exe Ncofplba.exe File opened for modification C:\Windows\SysWOW64\Cnkkjh32.exe Cljobphg.exe File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Ekiapmnp.dll Cpfcfmlp.exe File created C:\Windows\SysWOW64\Fnnjmbpm.exe Flpmagqi.exe File created C:\Windows\SysWOW64\Fefjfked.exe Fnobem32.exe File opened for modification C:\Windows\SysWOW64\Igfkfo32.exe Iickkbje.exe File created C:\Windows\SysWOW64\Ejhmqp32.dll Fbhpch32.exe File created C:\Windows\SysWOW64\Nddbqe32.dll Jklinohd.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Oacoqnci.exe Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Ehiffh32.exe Eejjjl32.exe File opened for modification C:\Windows\SysWOW64\Ncfmno32.exe Npgabc32.exe File created C:\Windows\SysWOW64\Noeahkfc.exe Nlfelogp.exe File opened for modification C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Gehbjm32.exe Fnnjmbpm.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Phajna32.exe File created C:\Windows\SysWOW64\Dddjmo32.dll Panhbfep.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Gdppbfff.exe Gempgj32.exe File created C:\Windows\SysWOW64\Fbfcmhpg.exe Fmikeaap.exe File opened for modification C:\Windows\SysWOW64\Ipflihfq.exe Hdokdg32.exe File created C:\Windows\SysWOW64\Dafmjm32.dll Illfdc32.exe File created C:\Windows\SysWOW64\Bmijpchc.dll Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Jeqbpb32.exe Jfnbdecg.exe File created C:\Windows\SysWOW64\Ecmomj32.dll Kniieo32.exe File created C:\Windows\SysWOW64\Ckbaokim.dll Hedafk32.exe File created C:\Windows\SysWOW64\Johnamkm.exe Jpenfp32.exe File opened for modification C:\Windows\SysWOW64\Ncnofeof.exe Nqpcjj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7196 6220 WerFault.exe 1083 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfkeh32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgflfoob.dll" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccfdmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Knhakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clchbqoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjlcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iigdfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekpkigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahqddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnfjkma.dll" Ilccoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Cgifbhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cimcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlacgdj.dll" Jqiipljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofill32.dll" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhikb32.dll" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdencf32.dll" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Pkegpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lifjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefmimif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghdi32.dll" Haoimcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefplh32.dll" Lifjnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekpkigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memicmfo.dll" Bjfjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haafcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opadhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaopfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklhcfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekiohclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohmibo.dll" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epndknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jocefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjabghp.dll" Jblijebc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqkill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnfge32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 1680 1128 03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe 85 PID 1128 wrote to memory of 1680 1128 03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe 85 PID 1128 wrote to memory of 1680 1128 03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe 85 PID 1680 wrote to memory of 3324 1680 Ambgef32.exe 86 PID 1680 wrote to memory of 3324 1680 Ambgef32.exe 86 PID 1680 wrote to memory of 3324 1680 Ambgef32.exe 86 PID 3324 wrote to memory of 2016 3324 Aeiofcji.exe 87 PID 3324 wrote to memory of 2016 3324 Aeiofcji.exe 87 PID 3324 wrote to memory of 2016 3324 Aeiofcji.exe 87 PID 2016 wrote to memory of 3800 2016 Amddjegd.exe 88 PID 2016 wrote to memory of 3800 2016 Amddjegd.exe 88 PID 2016 wrote to memory of 3800 2016 Amddjegd.exe 88 PID 3800 wrote to memory of 2028 3800 Aqppkd32.exe 89 PID 3800 wrote to memory of 2028 3800 Aqppkd32.exe 89 PID 3800 wrote to memory of 2028 3800 Aqppkd32.exe 89 PID 2028 wrote to memory of 2636 2028 Agjhgngj.exe 90 PID 2028 wrote to memory of 2636 2028 Agjhgngj.exe 90 PID 2028 wrote to memory of 2636 2028 Agjhgngj.exe 90 PID 2636 wrote to memory of 4168 2636 Acqimo32.exe 91 PID 2636 wrote to memory of 4168 2636 Acqimo32.exe 91 PID 2636 wrote to memory of 4168 2636 Acqimo32.exe 91 PID 4168 wrote to memory of 4024 4168 Afoeiklb.exe 92 PID 4168 wrote to memory of 4024 4168 Afoeiklb.exe 92 PID 4168 wrote to memory of 4024 4168 Afoeiklb.exe 92 PID 4024 wrote to memory of 3312 4024 Anfmjhmd.exe 93 PID 4024 wrote to memory of 3312 4024 Anfmjhmd.exe 93 PID 4024 wrote to memory of 3312 4024 Anfmjhmd.exe 93 PID 3312 wrote to memory of 1168 3312 Aminee32.exe 94 PID 3312 wrote to memory of 1168 3312 Aminee32.exe 94 PID 3312 wrote to memory of 1168 3312 Aminee32.exe 94 PID 1168 wrote to memory of 3152 1168 Aepefb32.exe 96 PID 1168 wrote to memory of 3152 1168 Aepefb32.exe 96 PID 1168 wrote to memory of 3152 1168 Aepefb32.exe 96 PID 3152 wrote to memory of 3240 3152 Bnhjohkb.exe 97 PID 3152 wrote to memory of 3240 3152 Bnhjohkb.exe 97 PID 3152 wrote to memory of 3240 3152 Bnhjohkb.exe 97 PID 3240 wrote to memory of 1536 3240 Bebblb32.exe 98 PID 3240 wrote to memory of 1536 3240 Bebblb32.exe 98 PID 3240 wrote to memory of 1536 3240 Bebblb32.exe 98 PID 1536 wrote to memory of 848 1536 Bfdodjhm.exe 100 PID 1536 wrote to memory of 848 1536 Bfdodjhm.exe 100 PID 1536 wrote to memory of 848 1536 Bfdodjhm.exe 100 PID 848 wrote to memory of 4504 848 Beeoaapl.exe 101 PID 848 wrote to memory of 4504 848 Beeoaapl.exe 101 PID 848 wrote to memory of 4504 848 Beeoaapl.exe 101 PID 4504 wrote to memory of 4412 4504 Bgcknmop.exe 103 PID 4504 wrote to memory of 4412 4504 Bgcknmop.exe 103 PID 4504 wrote to memory of 4412 4504 Bgcknmop.exe 103 PID 4412 wrote to memory of 4608 4412 Bmpcfdmg.exe 104 PID 4412 wrote to memory of 4608 4412 Bmpcfdmg.exe 104 PID 4412 wrote to memory of 4608 4412 Bmpcfdmg.exe 104 PID 4608 wrote to memory of 1320 4608 Bcjlcn32.exe 105 PID 4608 wrote to memory of 1320 4608 Bcjlcn32.exe 105 PID 4608 wrote to memory of 1320 4608 Bcjlcn32.exe 105 PID 1320 wrote to memory of 5076 1320 Bfhhoi32.exe 106 PID 1320 wrote to memory of 5076 1320 Bfhhoi32.exe 106 PID 1320 wrote to memory of 5076 1320 Bfhhoi32.exe 106 PID 5076 wrote to memory of 2128 5076 Beihma32.exe 107 PID 5076 wrote to memory of 2128 5076 Beihma32.exe 107 PID 5076 wrote to memory of 2128 5076 Beihma32.exe 107 PID 2128 wrote to memory of 220 2128 Bhhdil32.exe 108 PID 2128 wrote to memory of 220 2128 Bhhdil32.exe 108 PID 2128 wrote to memory of 220 2128 Bhhdil32.exe 108 PID 220 wrote to memory of 3040 220 Bapiabak.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\03318d9f5be63cea2f0ab741742ef190_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe23⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe24⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe25⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe26⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe27⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe29⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe30⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe31⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe32⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4828 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe34⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe35⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe36⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe37⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe38⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe39⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe41⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe42⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe43⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe45⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3752 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe47⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe48⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4648 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe50⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe51⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe52⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe53⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe54⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe55⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe56⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe57⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe58⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe59⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4756 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe62⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4672 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe64⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe65⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe66⤵PID:4768
-
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe67⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe69⤵PID:2688
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe70⤵PID:4704
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe71⤵PID:5016
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe72⤵PID:2392
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe73⤵PID:5004
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe74⤵PID:4592
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe75⤵PID:4352
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe76⤵PID:4276
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe77⤵PID:780
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe78⤵PID:3528
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe79⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe80⤵PID:4596
-
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe81⤵PID:968
-
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe82⤵PID:5132
-
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe83⤵PID:5184
-
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe84⤵PID:5236
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe85⤵PID:5268
-
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe87⤵PID:5364
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe88⤵PID:5404
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe89⤵PID:5452
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe90⤵PID:5496
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe91⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe92⤵PID:5580
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe93⤵PID:5644
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe94⤵PID:5692
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe95⤵PID:5760
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe96⤵PID:5804
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe97⤵PID:5848
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe98⤵PID:5892
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe99⤵PID:5936
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe100⤵PID:5980
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe101⤵PID:6024
-
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe102⤵PID:6068
-
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe103⤵PID:6112
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe104⤵PID:1424
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe105⤵PID:5176
-
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe106⤵PID:5220
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe107⤵PID:5304
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe108⤵PID:4740
-
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe110⤵PID:5520
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe113⤵PID:5620
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe114⤵PID:5684
-
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe115⤵PID:3612
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe116⤵PID:3836
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe117⤵PID:4872
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe118⤵PID:4388
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe119⤵PID:4384
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe120⤵PID:5836
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe121⤵PID:5928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-