Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe
-
Size
451KB
-
MD5
81a888243d247e2aec5978afb78f6200
-
SHA1
971b42d57ce55a816b3e2b1878b5651dc6c78a9a
-
SHA256
ef10cf3dfb62252ef36499f84d8e8b976ad6ac44568c6423dcb61a1f5032a99f
-
SHA512
9bc75ef38fb86cabc245db224833ec8a2ddf26e0c1392a1fbaa19762b3d676afc01a7c9a452a379c6a4e30a04f91b1d850654792da36f9d96faec74ce666c3a5
-
SSDEEP
6144:eDUbIWu1YTO0JKKKKu6PQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:fzu1YTO0JKKKKW/NcZ7/NC64tm6Y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgkhnjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofecami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcagkdba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doccpcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acokhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oogpjbbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqejn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gilapgqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmpfbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejbfmpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fojedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbdcgld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpikkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohgdhfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaehljpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfekc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodkebj.exe -
Executes dropped EXE 64 IoCs
pid Process 2352 Nggqoj32.exe 4800 Okeieh32.exe 220 Ondeac32.exe 2928 Oqbamo32.exe 916 Odnnnnfe.exe 4664 Oqgkhnjf.exe 3188 Oqihnn32.exe 1336 Onmhgb32.exe 4920 Pjdilcla.exe 1976 Pkceffcd.exe 1596 Pnbbbabh.exe 4836 Pabkdmpi.exe 3560 Pcagphom.exe 1908 Peqcjkfp.exe 2200 Pjmlbbdg.exe 4444 Pbddcoei.exe 2584 Qajadlja.exe 3144 Qchmagie.exe 2324 Aegikj32.exe 1624 Alabgd32.exe 4192 Acmflf32.exe 4500 Aldomc32.exe 4112 Abpcon32.exe 2484 Ahmlgd32.exe 4572 Aaepqjpd.exe 4832 Blmacb32.exe 2000 Bnlnon32.exe 4160 Bajjli32.exe 3220 Balfaiil.exe 4020 Bopgjmhe.exe 4196 Bhikcb32.exe 1784 Blfdia32.exe 3172 Cliaoq32.exe 4392 Cafigg32.exe 3744 Chpada32.exe 3716 Clnjjpod.exe 4552 Colffknh.exe 1180 Chdkoa32.exe 1640 Clpgpp32.exe 1980 Cehkhecb.exe 4872 Clbceo32.exe 508 Dekhneap.exe 4716 Docmgjhp.exe 1420 Dhkapp32.exe 4740 Dkjmlk32.exe 1652 Dlijfneg.exe 2980 Dohfbj32.exe 1128 Dddojq32.exe 2684 Ddgkpp32.exe 4676 Ekacmjgl.exe 2120 Echknh32.exe 2548 Edihepnm.exe 4012 Elppfmoo.exe 1664 Eeidoc32.exe 4888 Elbmlmml.exe 2940 Eoaihhlp.exe 2064 Ednaqo32.exe 964 Eocenh32.exe 4364 Ehljfnpn.exe 1332 Eofbch32.exe 3080 Eadopc32.exe 3844 Edbklofb.exe 2912 Fljcmlfd.exe 1516 Fohoigfh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mhcmcm32.dll Dnpdegjp.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Jlajgl32.dll Chdkoa32.exe File created C:\Windows\SysWOW64\Pdggmekl.dll Hhlejcpm.exe File created C:\Windows\SysWOW64\Dpehof32.exe Djhpgofm.exe File created C:\Windows\SysWOW64\Jgbbpbop.dll Dpehof32.exe File opened for modification C:\Windows\SysWOW64\Njjmni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mpieqeko.exe Miomdk32.exe File created C:\Windows\SysWOW64\Fbhpch32.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Maiccajf.exe Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Leopnglc.exe Ljilqnlm.exe File opened for modification C:\Windows\SysWOW64\Gfmojenc.exe Gpcfmkff.exe File created C:\Windows\SysWOW64\Nknbglob.dll Fdbdah32.exe File opened for modification C:\Windows\SysWOW64\Mhdjehhj.exe Mbhamajc.exe File created C:\Windows\SysWOW64\Fgdbnmji.exe Fagjfflb.exe File created C:\Windows\SysWOW64\Ncliqp32.dll Eplgeokq.exe File created C:\Windows\SysWOW64\Njbgmjgl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ngaionfl.exe Nhpiafnm.exe File created C:\Windows\SysWOW64\Gckoph32.dll Hlambk32.exe File created C:\Windows\SysWOW64\Emhkdmlg.exe Dfnbgc32.exe File opened for modification C:\Windows\SysWOW64\Ookoaokf.exe Process not Found File created C:\Windows\SysWOW64\Jmknaell.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Egbcih32.dll Ibaeen32.exe File opened for modification C:\Windows\SysWOW64\Ffgqqaip.exe Fchddejl.exe File created C:\Windows\SysWOW64\Pnfdcjkg.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Ioenpjfm.dll Bfgjjm32.exe File opened for modification C:\Windows\SysWOW64\Cjjcfabm.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Hmofee32.dll Djhpgofm.exe File created C:\Windows\SysWOW64\Bnffda32.dll Dfgcakon.exe File opened for modification C:\Windows\SysWOW64\Ogekbb32.exe Ogcnmc32.exe File created C:\Windows\SysWOW64\Qfbobf32.exe Qjlnnemp.exe File created C:\Windows\SysWOW64\Indfca32.exe Igjngh32.exe File created C:\Windows\SysWOW64\Mlnigobn.dll Lalnmiia.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Ckafhlkg.dll Dohfbj32.exe File created C:\Windows\SysWOW64\Bfendmoc.exe Bmlilh32.exe File opened for modification C:\Windows\SysWOW64\Hbbmmi32.exe Hocqam32.exe File created C:\Windows\SysWOW64\Jholncde.dll Mckemg32.exe File created C:\Windows\SysWOW64\Fgcqbd32.dll Pnbbbabh.exe File created C:\Windows\SysWOW64\Ghkebndc.dll Hfnphn32.exe File created C:\Windows\SysWOW64\Ecnpbjmi.dll Hbgmcnhf.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Neafjdkn.exe File created C:\Windows\SysWOW64\Ddnobj32.exe Dkekjdck.exe File created C:\Windows\SysWOW64\Mdmann32.dll Gododflk.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Aqncedbp.exe File opened for modification C:\Windows\SysWOW64\Ppjgoaoj.exe Pedbahod.exe File opened for modification C:\Windows\SysWOW64\Fgdbnmji.exe Fagjfflb.exe File opened for modification C:\Windows\SysWOW64\Mjpbam32.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Dfgcakon.exe Dmoohe32.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Lnldla32.exe File created C:\Windows\SysWOW64\Paadbk32.dll Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Daekdooc.exe File created C:\Windows\SysWOW64\Nagbfo32.dll Ohnebd32.exe File created C:\Windows\SysWOW64\Adikdfna.exe Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Mmkdcm32.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Bmmpfn32.exe Bfchidda.exe File opened for modification C:\Windows\SysWOW64\Kkpbin32.exe Jgeghp32.exe File opened for modification C:\Windows\SysWOW64\Pkhjph32.exe Pifnhpmi.exe File created C:\Windows\SysWOW64\Cobkhb32.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Pcijdmpm.dll Emkndc32.exe File created C:\Windows\SysWOW64\Jlhljhbg.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Pkhjph32.exe Pifnhpmi.exe File created C:\Windows\SysWOW64\Fipkjb32.exe Fbfcmhpg.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12936 12184 Process not Found 1251 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpebh32.dll" Lnqeqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peieba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Komhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebbafoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfapoa32.dll" Bhamkipi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doccpcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlndj32.dll" Famjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Injdmnab.dll" Jdedak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfngdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blielbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emaedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppnfc32.dll" Gpaqbbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnegbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmlpoqpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoogfnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfamlc32.dll" Jnhidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbmlmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbdja32.dll" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpehad32.dll" Ifihif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acigfpbp.dll" Ajndioga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olhlhjpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgmdlaj.dll" Igcoqocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpecpgjp.dll" Nbcjnilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepkeokh.dll" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kibgmdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnlaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdboimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhhpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbceggm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqihnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgoeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnneheln.dll" Hjhalefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbhll32.dll" Hkikkeeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocaebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qohpkf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 2352 812 81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe 83 PID 812 wrote to memory of 2352 812 81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe 83 PID 812 wrote to memory of 2352 812 81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe 83 PID 2352 wrote to memory of 4800 2352 Nggqoj32.exe 84 PID 2352 wrote to memory of 4800 2352 Nggqoj32.exe 84 PID 2352 wrote to memory of 4800 2352 Nggqoj32.exe 84 PID 4800 wrote to memory of 220 4800 Okeieh32.exe 85 PID 4800 wrote to memory of 220 4800 Okeieh32.exe 85 PID 4800 wrote to memory of 220 4800 Okeieh32.exe 85 PID 220 wrote to memory of 2928 220 Ondeac32.exe 86 PID 220 wrote to memory of 2928 220 Ondeac32.exe 86 PID 220 wrote to memory of 2928 220 Ondeac32.exe 86 PID 2928 wrote to memory of 916 2928 Oqbamo32.exe 87 PID 2928 wrote to memory of 916 2928 Oqbamo32.exe 87 PID 2928 wrote to memory of 916 2928 Oqbamo32.exe 87 PID 916 wrote to memory of 4664 916 Odnnnnfe.exe 89 PID 916 wrote to memory of 4664 916 Odnnnnfe.exe 89 PID 916 wrote to memory of 4664 916 Odnnnnfe.exe 89 PID 4664 wrote to memory of 3188 4664 Oqgkhnjf.exe 91 PID 4664 wrote to memory of 3188 4664 Oqgkhnjf.exe 91 PID 4664 wrote to memory of 3188 4664 Oqgkhnjf.exe 91 PID 3188 wrote to memory of 1336 3188 Oqihnn32.exe 92 PID 3188 wrote to memory of 1336 3188 Oqihnn32.exe 92 PID 3188 wrote to memory of 1336 3188 Oqihnn32.exe 92 PID 1336 wrote to memory of 4920 1336 Onmhgb32.exe 93 PID 1336 wrote to memory of 4920 1336 Onmhgb32.exe 93 PID 1336 wrote to memory of 4920 1336 Onmhgb32.exe 93 PID 4920 wrote to memory of 1976 4920 Pjdilcla.exe 95 PID 4920 wrote to memory of 1976 4920 Pjdilcla.exe 95 PID 4920 wrote to memory of 1976 4920 Pjdilcla.exe 95 PID 1976 wrote to memory of 1596 1976 Pkceffcd.exe 96 PID 1976 wrote to memory of 1596 1976 Pkceffcd.exe 96 PID 1976 wrote to memory of 1596 1976 Pkceffcd.exe 96 PID 1596 wrote to memory of 4836 1596 Pnbbbabh.exe 97 PID 1596 wrote to memory of 4836 1596 Pnbbbabh.exe 97 PID 1596 wrote to memory of 4836 1596 Pnbbbabh.exe 97 PID 4836 wrote to memory of 3560 4836 Pabkdmpi.exe 98 PID 4836 wrote to memory of 3560 4836 Pabkdmpi.exe 98 PID 4836 wrote to memory of 3560 4836 Pabkdmpi.exe 98 PID 3560 wrote to memory of 1908 3560 Pcagphom.exe 99 PID 3560 wrote to memory of 1908 3560 Pcagphom.exe 99 PID 3560 wrote to memory of 1908 3560 Pcagphom.exe 99 PID 1908 wrote to memory of 2200 1908 Peqcjkfp.exe 100 PID 1908 wrote to memory of 2200 1908 Peqcjkfp.exe 100 PID 1908 wrote to memory of 2200 1908 Peqcjkfp.exe 100 PID 2200 wrote to memory of 4444 2200 Pjmlbbdg.exe 101 PID 2200 wrote to memory of 4444 2200 Pjmlbbdg.exe 101 PID 2200 wrote to memory of 4444 2200 Pjmlbbdg.exe 101 PID 4444 wrote to memory of 2584 4444 Pbddcoei.exe 102 PID 4444 wrote to memory of 2584 4444 Pbddcoei.exe 102 PID 4444 wrote to memory of 2584 4444 Pbddcoei.exe 102 PID 2584 wrote to memory of 3144 2584 Qajadlja.exe 103 PID 2584 wrote to memory of 3144 2584 Qajadlja.exe 103 PID 2584 wrote to memory of 3144 2584 Qajadlja.exe 103 PID 3144 wrote to memory of 2324 3144 Qchmagie.exe 104 PID 3144 wrote to memory of 2324 3144 Qchmagie.exe 104 PID 3144 wrote to memory of 2324 3144 Qchmagie.exe 104 PID 2324 wrote to memory of 1624 2324 Aegikj32.exe 105 PID 2324 wrote to memory of 1624 2324 Aegikj32.exe 105 PID 2324 wrote to memory of 1624 2324 Aegikj32.exe 105 PID 1624 wrote to memory of 4192 1624 Alabgd32.exe 106 PID 1624 wrote to memory of 4192 1624 Alabgd32.exe 106 PID 1624 wrote to memory of 4192 1624 Alabgd32.exe 106 PID 4192 wrote to memory of 4500 4192 Acmflf32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\81a888243d247e2aec5978afb78f6200_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe23⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe24⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe25⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe26⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe27⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe28⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe29⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe30⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe31⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe32⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe33⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe34⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe35⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe36⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe37⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe38⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe41⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe42⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe43⤵
- Executes dropped EXE
PID:508 -
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe44⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe46⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe47⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe49⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe50⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe51⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe52⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe53⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe55⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe57⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe58⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe59⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe60⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe61⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe62⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe63⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe64⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe65⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe66⤵PID:3796
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe67⤵PID:4620
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe68⤵PID:2400
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe69⤵PID:4416
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe70⤵
- Drops file in System32 directory
PID:4476 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe71⤵
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe72⤵PID:1136
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4708 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe74⤵PID:5056
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe75⤵PID:1812
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe76⤵PID:3108
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe77⤵
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe78⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe81⤵PID:1668
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe82⤵PID:3952
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe83⤵PID:4172
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe84⤵PID:1132
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe85⤵PID:2104
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe86⤵PID:4604
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe87⤵PID:4124
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe88⤵PID:4980
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe89⤵PID:4132
-
C:\Windows\SysWOW64\Hkikkeeo.exeC:\Windows\system32\Hkikkeeo.exe90⤵
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe91⤵PID:2256
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe92⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe93⤵PID:5192
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe94⤵PID:5240
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe95⤵PID:5284
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe96⤵PID:5336
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe97⤵PID:5384
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe98⤵PID:5436
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe99⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe100⤵PID:5516
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe102⤵PID:5600
-
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe103⤵PID:5640
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe104⤵PID:5684
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe105⤵PID:5732
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe106⤵PID:5780
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe108⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe109⤵PID:5912
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe110⤵PID:5964
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe111⤵PID:6004
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe112⤵PID:6040
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe115⤵PID:5176
-
C:\Windows\SysWOW64\Kdqejn32.exeC:\Windows\system32\Kdqejn32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe117⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe118⤵PID:5392
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe119⤵PID:5472
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe120⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe121⤵PID:5628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-