Analysis
-
max time kernel
145s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
1bf6331bece9f3469055deb43fa22760
-
SHA1
7ed321535289d0f6a3317443c71353ddbcb7953c
-
SHA256
7d25301e529da2b84e0e44de9f2ab89ac9dd46eee418ce8d35ff554629eca6a9
-
SHA512
e97136803ee2cd9da35b4d1f8dc55729573c8e24bd6fa16c24732a36facc5fab7154f6ee36fee8356bae2fcc98081f598657c040f465ed3cba77cd59cacb0714
-
SSDEEP
12288:XmzvBvFqpCtRwKA5p8Wgx+gWVBmLnWrOxNuxC7:mHqEfAL8WJm8MoC7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppmcdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfdnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mminhceb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahokfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaefgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjaifp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihbijhn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdaljn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keakgpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lankbigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccfdmmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnikc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkihnmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgcih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekjcaef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkjhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdaljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heapdjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjcolha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpfjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe -
Executes dropped EXE 64 IoCs
pid Process 4228 Jjpeepnb.exe 4248 Jaimbj32.exe 3700 Jidbflcj.exe 2604 Jdjfcecp.exe 1324 Jkfkfohj.exe 4052 Kagichjo.exe 956 Kgdbkohf.exe 2128 Lkdggmlj.exe 2496 Lgbnmm32.exe 1688 Mahbje32.exe 2720 Mgekbljc.exe 2144 Mpaifalo.exe 5112 Mglack32.exe 1304 Mpdelajl.exe 4356 Nnjbke32.exe 4892 Ngcgcjnc.exe 2700 Ndkahnhh.exe 912 Ondeac32.exe 1612 Onfbfc32.exe 1264 Pcjapi32.exe 2276 Pclneicb.exe 5028 Pgmcqggf.exe 3992 Acjjfggb.exe 2544 Ajdbcano.exe 1120 Aanjpk32.exe 440 Adapgfqj.exe 2652 Abbpem32.exe 396 Behbag32.exe 968 Bjdkjo32.exe 220 Bejogg32.exe 4224 Bldgdago.exe 4080 Bbnpqk32.exe 3404 Cehkhecb.exe 3940 Clbceo32.exe 1436 Daaicfgd.exe 1328 Dhkapp32.exe 2280 Dbaemi32.exe 2316 Dddojq32.exe 532 Dkoggkjo.exe 4764 Dahode32.exe 4844 Dhbgqohi.exe 2988 Eolpmi32.exe 3848 Eefhjc32.exe 3640 Ehedfo32.exe 1668 Eoolbinc.exe 5044 Eeidoc32.exe 4540 Ecmeig32.exe 4168 Eekaebcm.exe 4112 Eleiam32.exe 2764 Ecoangbg.exe 3152 Edpnfo32.exe 1752 Ekjfcipa.exe 3396 Ecandfpd.exe 4424 Fljcmlfd.exe 1632 Febgea32.exe 4556 Fkopnh32.exe 4412 Fcfhof32.exe 4420 Flnlhk32.exe 4320 Fchddejl.exe 3632 Fdialn32.exe 4472 Flqimk32.exe 1344 Fckajehi.exe 8 Fhgjblfq.exe 2816 Fkffog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gaamlecg.exe Gijekg32.exe File created C:\Windows\SysWOW64\Ahqddk32.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Dknnoofg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ecoangbg.exe Eleiam32.exe File created C:\Windows\SysWOW64\Lphoelqn.exe Lmiciaaj.exe File created C:\Windows\SysWOW64\Kageaj32.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Jdokpl32.dll Mejpje32.exe File opened for modification C:\Windows\SysWOW64\Hhfpbpdo.exe Hbihjifh.exe File opened for modification C:\Windows\SysWOW64\Lljdai32.exe Kofdhd32.exe File created C:\Windows\SysWOW64\Nklinjmj.dll Dbnmke32.exe File created C:\Windows\SysWOW64\Phhhhc32.exe Pfillg32.exe File created C:\Windows\SysWOW64\Ncndec32.dll Plbmokop.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File opened for modification C:\Windows\SysWOW64\Oqmhqapg.exe Ojcpdg32.exe File created C:\Windows\SysWOW64\Mckdpoji.dll Jgpmmp32.exe File created C:\Windows\SysWOW64\Efcknj32.dll Jehhaaci.exe File created C:\Windows\SysWOW64\Mlklkgei.exe Lhncdi32.exe File created C:\Windows\SysWOW64\Cgpfqchb.dll Jhkbdmbg.exe File opened for modification C:\Windows\SysWOW64\Oponmilc.exe Njefqo32.exe File created C:\Windows\SysWOW64\Hmphmhjc.dll Pgnilpah.exe File created C:\Windows\SysWOW64\Fdhcgaic.exe Fajgkfio.exe File created C:\Windows\SysWOW64\Mklbeh32.dll Bnoknihb.exe File created C:\Windows\SysWOW64\Liabph32.dll Lfeljd32.exe File opened for modification C:\Windows\SysWOW64\Fqbliicp.exe Foapaa32.exe File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe Hmhhehlb.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Aeddnp32.exe File opened for modification C:\Windows\SysWOW64\Hmkigh32.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Afakoidm.dll Ilqoobdd.exe File created C:\Windows\SysWOW64\Mnkhmbin.dll Meiaib32.exe File created C:\Windows\SysWOW64\Nqobhgmh.dll Mhckcgpj.exe File created C:\Windows\SysWOW64\Nenqea32.dll Nngokoej.exe File opened for modification C:\Windows\SysWOW64\Hbgkei32.exe Hhaggp32.exe File opened for modification C:\Windows\SysWOW64\Ilidbbgl.exe Iikhfg32.exe File created C:\Windows\SysWOW64\Npkjmfie.dll Pekbga32.exe File opened for modification C:\Windows\SysWOW64\Nagpeo32.exe Nhokljge.exe File created C:\Windows\SysWOW64\Obnnnc32.exe Process not Found File created C:\Windows\SysWOW64\Bhgejlhj.dll Behbag32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Eoepebho.exe Eqdpgk32.exe File created C:\Windows\SysWOW64\Hhmedh32.dll Aeddnp32.exe File created C:\Windows\SysWOW64\Bnoknihb.exe Bdgged32.exe File created C:\Windows\SysWOW64\Jhkbdmbg.exe Jbojlfdp.exe File created C:\Windows\SysWOW64\Ijkled32.exe Process not Found File created C:\Windows\SysWOW64\Cimhefgb.dll Process not Found File created C:\Windows\SysWOW64\Kjqkei32.dll Ipnjab32.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Hihbijhn.exe File created C:\Windows\SysWOW64\Hfningai.exe Hocqam32.exe File created C:\Windows\SysWOW64\Dgeenfog.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Npbceggm.exe Njfkmphe.exe File created C:\Windows\SysWOW64\Ickchq32.exe Ildkgc32.exe File created C:\Windows\SysWOW64\Iledokkp.dll Ildkgc32.exe File opened for modification C:\Windows\SysWOW64\Njjdho32.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Pnfeqknj.dll Ghaliknf.exe File created C:\Windows\SysWOW64\Achhaode.dll Fhabbp32.exe File created C:\Windows\SysWOW64\Negcig32.dll Acmobchj.exe File created C:\Windows\SysWOW64\Mlgjhp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hobkfd32.exe Hihbijhn.exe File opened for modification C:\Windows\SysWOW64\Ndcdmikd.exe Nnjlpo32.exe File opened for modification C:\Windows\SysWOW64\Boipmj32.exe Bmkcqn32.exe File opened for modification C:\Windows\SysWOW64\Inmgmijo.exe Ikokan32.exe File created C:\Windows\SysWOW64\Lkdggmlj.exe Kgdbkohf.exe File created C:\Windows\SysWOW64\Hfifmnij.exe Hmabdibj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afoeiklb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqppci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bochmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcndeen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" Igpdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghfphob.dll" Ieidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amqhbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmbieme.dll" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklbcn32.dll" Kenggi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqilgmdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll" Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcinbcgc.dll" Ifefimom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfngdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpodlbng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmde32.dll" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll" Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihnmohm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Facqkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll" Olhlhjpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipcmii32.dll" Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lojkhk32.dll" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbmpk32.dll" Dmoohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll" Klimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaopfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjlbppk.dll" Jhlgfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghklce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhfhnmm.dll" Jkhngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkolmml.dll" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefklj32.dll" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phajna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhinoa32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnfhilh.dll" Hhaggp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 4228 1888 1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe 82 PID 1888 wrote to memory of 4228 1888 1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe 82 PID 1888 wrote to memory of 4228 1888 1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe 82 PID 4228 wrote to memory of 4248 4228 Jjpeepnb.exe 83 PID 4228 wrote to memory of 4248 4228 Jjpeepnb.exe 83 PID 4228 wrote to memory of 4248 4228 Jjpeepnb.exe 83 PID 4248 wrote to memory of 3700 4248 Jaimbj32.exe 84 PID 4248 wrote to memory of 3700 4248 Jaimbj32.exe 84 PID 4248 wrote to memory of 3700 4248 Jaimbj32.exe 84 PID 3700 wrote to memory of 2604 3700 Jidbflcj.exe 85 PID 3700 wrote to memory of 2604 3700 Jidbflcj.exe 85 PID 3700 wrote to memory of 2604 3700 Jidbflcj.exe 85 PID 2604 wrote to memory of 1324 2604 Jdjfcecp.exe 88 PID 2604 wrote to memory of 1324 2604 Jdjfcecp.exe 88 PID 2604 wrote to memory of 1324 2604 Jdjfcecp.exe 88 PID 1324 wrote to memory of 4052 1324 Jkfkfohj.exe 89 PID 1324 wrote to memory of 4052 1324 Jkfkfohj.exe 89 PID 1324 wrote to memory of 4052 1324 Jkfkfohj.exe 89 PID 4052 wrote to memory of 956 4052 Kagichjo.exe 90 PID 4052 wrote to memory of 956 4052 Kagichjo.exe 90 PID 4052 wrote to memory of 956 4052 Kagichjo.exe 90 PID 956 wrote to memory of 2128 956 Kgdbkohf.exe 91 PID 956 wrote to memory of 2128 956 Kgdbkohf.exe 91 PID 956 wrote to memory of 2128 956 Kgdbkohf.exe 91 PID 2128 wrote to memory of 2496 2128 Lkdggmlj.exe 92 PID 2128 wrote to memory of 2496 2128 Lkdggmlj.exe 92 PID 2128 wrote to memory of 2496 2128 Lkdggmlj.exe 92 PID 2496 wrote to memory of 1688 2496 Lgbnmm32.exe 93 PID 2496 wrote to memory of 1688 2496 Lgbnmm32.exe 93 PID 2496 wrote to memory of 1688 2496 Lgbnmm32.exe 93 PID 1688 wrote to memory of 2720 1688 Mahbje32.exe 94 PID 1688 wrote to memory of 2720 1688 Mahbje32.exe 94 PID 1688 wrote to memory of 2720 1688 Mahbje32.exe 94 PID 2720 wrote to memory of 2144 2720 Mgekbljc.exe 95 PID 2720 wrote to memory of 2144 2720 Mgekbljc.exe 95 PID 2720 wrote to memory of 2144 2720 Mgekbljc.exe 95 PID 2144 wrote to memory of 5112 2144 Mpaifalo.exe 96 PID 2144 wrote to memory of 5112 2144 Mpaifalo.exe 96 PID 2144 wrote to memory of 5112 2144 Mpaifalo.exe 96 PID 5112 wrote to memory of 1304 5112 Mglack32.exe 97 PID 5112 wrote to memory of 1304 5112 Mglack32.exe 97 PID 5112 wrote to memory of 1304 5112 Mglack32.exe 97 PID 1304 wrote to memory of 4356 1304 Mpdelajl.exe 98 PID 1304 wrote to memory of 4356 1304 Mpdelajl.exe 98 PID 1304 wrote to memory of 4356 1304 Mpdelajl.exe 98 PID 4356 wrote to memory of 4892 4356 Nnjbke32.exe 99 PID 4356 wrote to memory of 4892 4356 Nnjbke32.exe 99 PID 4356 wrote to memory of 4892 4356 Nnjbke32.exe 99 PID 4892 wrote to memory of 2700 4892 Ngcgcjnc.exe 100 PID 4892 wrote to memory of 2700 4892 Ngcgcjnc.exe 100 PID 4892 wrote to memory of 2700 4892 Ngcgcjnc.exe 100 PID 2700 wrote to memory of 912 2700 Ndkahnhh.exe 101 PID 2700 wrote to memory of 912 2700 Ndkahnhh.exe 101 PID 2700 wrote to memory of 912 2700 Ndkahnhh.exe 101 PID 912 wrote to memory of 1612 912 Ondeac32.exe 102 PID 912 wrote to memory of 1612 912 Ondeac32.exe 102 PID 912 wrote to memory of 1612 912 Ondeac32.exe 102 PID 1612 wrote to memory of 1264 1612 Onfbfc32.exe 103 PID 1612 wrote to memory of 1264 1612 Onfbfc32.exe 103 PID 1612 wrote to memory of 1264 1612 Onfbfc32.exe 103 PID 1264 wrote to memory of 2276 1264 Pcjapi32.exe 104 PID 1264 wrote to memory of 2276 1264 Pcjapi32.exe 104 PID 1264 wrote to memory of 2276 1264 Pcjapi32.exe 104 PID 2276 wrote to memory of 5028 2276 Pclneicb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1bf6331bece9f3469055deb43fa22760_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe23⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe24⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe25⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe26⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe27⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe28⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396 -
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe30⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe31⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe32⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe33⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe34⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe35⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe36⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe37⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe38⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe40⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe41⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe42⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe43⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe44⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe45⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:5044 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe48⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe49⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4112 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe51⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe52⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe53⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ecandfpd.exeC:\Windows\system32\Ecandfpd.exe54⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe55⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe56⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe57⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe58⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4420 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe61⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe62⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe63⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe64⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe65⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe66⤵PID:1524
-
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe67⤵PID:1860
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe68⤵PID:3076
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3428 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe70⤵PID:612
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe71⤵PID:3600
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe72⤵PID:2876
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe73⤵PID:4820
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe74⤵PID:1108
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe75⤵PID:3804
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe76⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe77⤵PID:264
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe78⤵PID:4532
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe79⤵PID:3844
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe80⤵PID:3356
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe81⤵PID:4620
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe82⤵
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe83⤵PID:2424
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4504 -
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe85⤵PID:2616
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe86⤵PID:3360
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe87⤵PID:3948
-
C:\Windows\SysWOW64\Heapdjlp.exeC:\Windows\system32\Heapdjlp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4280 -
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe89⤵
- Drops file in System32 directory
PID:3456 -
C:\Windows\SysWOW64\Hcbpab32.exeC:\Windows\system32\Hcbpab32.exe90⤵PID:3768
-
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe91⤵PID:820
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe92⤵PID:3080
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe93⤵PID:4084
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe94⤵PID:4484
-
C:\Windows\SysWOW64\Immapg32.exeC:\Windows\system32\Immapg32.exe95⤵PID:2136
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe96⤵PID:1348
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe97⤵
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe98⤵PID:2464
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe99⤵
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe101⤵PID:1140
-
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe102⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe103⤵PID:668
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe104⤵PID:3264
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe105⤵PID:4372
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe106⤵PID:3316
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe107⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe108⤵PID:5148
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe109⤵PID:5196
-
C:\Windows\SysWOW64\Jimekgff.exeC:\Windows\system32\Jimekgff.exe110⤵PID:5240
-
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe111⤵PID:5288
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe112⤵PID:5340
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe113⤵PID:5384
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe114⤵PID:5428
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe115⤵PID:5488
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5540 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe117⤵PID:5588
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe118⤵PID:5632
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe119⤵PID:5676
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe120⤵PID:5720
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe121⤵PID:5764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-