Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/06/2024, 21:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe
-
Size
370KB
-
MD5
09c9b3009fca3b0d308a8f8930671c60
-
SHA1
927769715d4aed32bc425cd2e0a48feebbc219b4
-
SHA256
eeb23c0d78197aca056df94cc481a1fb4a78848cdff750fa1dcf54aa3cec4f24
-
SHA512
6c9599d71ad908f07430305798c26428f2a6cff1bf9797f6c2fb655db53678a3bef176fd99cac26720b30bd27ad9164d2308cbdd16c779a00b963bec67c999ac
-
SSDEEP
6144:5sAZ/4tmz52glEzs4LPd54Q///NR5fLYG3eujPQ///NR5f:mi/R523s2V5j/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdaajd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodgei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmoodbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldjkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papnhbgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igabdekb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidopn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclpbqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpcmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaekmdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgdpdgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helfbqeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedfblql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bminokil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpofd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilbnkiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobomglo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljiimeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acgfec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpibdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllcfnhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkbdllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkddeag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeeomegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfjjkgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjanjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcboan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingpgcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbmafnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmmfbfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmfel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caebfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcilgco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbefln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgeqcnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphmafm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaodkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkepeaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhqaokcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjjmlf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifaepolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaifbg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1712 Bpjmph32.exe 4188 Dcibca32.exe 1536 Ekqckmfb.exe 4580 Fgnjqm32.exe 224 Gkoplk32.exe 996 Gcqjal32.exe 3724 Hccggl32.exe 4280 Hnkhjdle.exe 4648 Hbknebqi.exe 2196 Iccpniqp.exe 1200 Ijpepcfj.exe 4608 Jjdokb32.exe 2496 Jlfhke32.exe 3044 Jbbmmo32.exe 3800 Kdhbpf32.exe 2620 Kdmlkfjb.exe 4392 Khkdad32.exe 1352 Laffpi32.exe 4508 Ldfoad32.exe 3152 Lajokiaa.exe 4264 Mklfjm32.exe 2292 Nhbciqln.exe 3176 Nfiagd32.exe 4312 Nkhfek32.exe 896 Oljoen32.exe 2076 Obkahddl.exe 916 Pdngpo32.exe 4148 Pofhbgmn.exe 320 Qfgfpp32.exe 4824 Aeopfl32.exe 4412 Acdioc32.exe 1568 Acgfec32.exe 4244 Bclppboi.exe 4748 Bpemkcck.exe 4360 Bbefln32.exe 4444 Cehlcikj.exe 3788 Cfjeckpj.exe 832 Cfmahknh.exe 3708 Dpefaq32.exe 884 Dmnpfd32.exe 3560 Dmplkd32.exe 1004 Egknji32.exe 4776 Egmjpi32.exe 2100 Emioab32.exe 752 Eegqldqg.exe 2120 Fcmnkh32.exe 5096 Fgkfqgce.exe 876 Fnglcqio.exe 2968 Ggbmafnm.exe 3088 Gdfmkjlg.exe 4440 Gnoacp32.exe 1084 Gjhonp32.exe 1880 Gglpgd32.exe 4592 Hqddqj32.exe 2624 Hgpibdam.exe 736 Hcgjhega.exe 4828 Hnokjm32.exe 3280 Iggocbke.exe 1016 Idkpmgjo.exe 4908 Icqmncof.exe 3172 Ifaepolg.exe 3996 Igqbiacj.exe 928 Iaifbg32.exe 660 Jmpgghoo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdfbbhdp.exe Caeiam32.exe File opened for modification C:\Windows\SysWOW64\Cioifm32.exe Ckkilhjm.exe File created C:\Windows\SysWOW64\Lggfolgj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Imfmgcdn.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Femigg32.exe Faopah32.exe File created C:\Windows\SysWOW64\Moajmk32.exe Moomgl32.exe File created C:\Windows\SysWOW64\Bddcocff.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nkboeobh.exe Ndhgie32.exe File created C:\Windows\SysWOW64\Ifmgpfog.dll Ncecioib.exe File created C:\Windows\SysWOW64\Djihhoao.exe Dlegokbe.exe File opened for modification C:\Windows\SysWOW64\Ifihdi32.exe Ioppho32.exe File created C:\Windows\SysWOW64\Ipihkobl.exe Hfacai32.exe File opened for modification C:\Windows\SysWOW64\Hjimaole.exe Hdlhoefk.exe File created C:\Windows\SysWOW64\Nhcibd32.dll Kgkfil32.exe File created C:\Windows\SysWOW64\Lcgagm32.dll Gcqjal32.exe File opened for modification C:\Windows\SysWOW64\Mankaked.exe Mfhgcbfo.exe File created C:\Windows\SysWOW64\Ijgjpaao.exe Ikejbjip.exe File created C:\Windows\SysWOW64\Ahkkhnpg.exe Ahinbo32.exe File opened for modification C:\Windows\SysWOW64\Pgcpdn32.exe Onklkhnn.exe File created C:\Windows\SysWOW64\Eaekmdep.exe Dgpgplej.exe File opened for modification C:\Windows\SysWOW64\Ambgnl32.exe Aegbji32.exe File created C:\Windows\SysWOW64\Eaonccme.exe Eopbghnb.exe File created C:\Windows\SysWOW64\Faoqjagk.dll Nhafcd32.exe File created C:\Windows\SysWOW64\Ligiodee.dll Imgbdh32.exe File opened for modification C:\Windows\SysWOW64\Lfeldj32.exe Process not Found File created C:\Windows\SysWOW64\Oiijig32.dll Jddnah32.exe File created C:\Windows\SysWOW64\Mhbakk32.exe Mbfmha32.exe File created C:\Windows\SysWOW64\Dogcjkih.dll Lalchm32.exe File opened for modification C:\Windows\SysWOW64\Pgiojf32.exe Pqpgnl32.exe File opened for modification C:\Windows\SysWOW64\Diopep32.exe Dojlhg32.exe File created C:\Windows\SysWOW64\Femdjbab.dll Ifihdi32.exe File created C:\Windows\SysWOW64\Golcak32.exe Gbecljnl.exe File opened for modification C:\Windows\SysWOW64\Cddjofbj.exe Cmkehicj.exe File created C:\Windows\SysWOW64\Mpadpm32.dll Gbmaog32.exe File created C:\Windows\SysWOW64\Dkahba32.exe Process not Found File created C:\Windows\SysWOW64\Efacbf32.dll Jjknakhq.exe File opened for modification C:\Windows\SysWOW64\Ncgiolkk.exe Process not Found File created C:\Windows\SysWOW64\Ekkkip32.exe Process not Found File created C:\Windows\SysWOW64\Ogicdj32.dll Process not Found File created C:\Windows\SysWOW64\Lgokfblh.dll Dhmgfm32.exe File created C:\Windows\SysWOW64\Kdgcne32.exe Kdeghfhj.exe File created C:\Windows\SysWOW64\Ejiqom32.exe Ejgdim32.exe File created C:\Windows\SysWOW64\Hfacai32.exe Hadkib32.exe File created C:\Windows\SysWOW64\Hdcnpd32.exe Hdaajd32.exe File opened for modification C:\Windows\SysWOW64\Pcmeek32.exe Pakleh32.exe File created C:\Windows\SysWOW64\Ndblob32.dll Process not Found File created C:\Windows\SysWOW64\Okqbac32.exe Oojalb32.exe File created C:\Windows\SysWOW64\Jfgefg32.exe Jgbhdkml.exe File created C:\Windows\SysWOW64\Gmggpekm.exe Gbabblkg.exe File opened for modification C:\Windows\SysWOW64\Phbhlcpi.exe Peaokh32.exe File created C:\Windows\SysWOW64\Ohjmmjng.dll Gjhonp32.exe File opened for modification C:\Windows\SysWOW64\Jagqfp32.exe Jbfphh32.exe File created C:\Windows\SysWOW64\Nkijbooo.exe Nkgmmpab.exe File created C:\Windows\SysWOW64\Peahpa32.exe Process not Found File created C:\Windows\SysWOW64\Ejpnin32.exe Dhqaokcd.exe File created C:\Windows\SysWOW64\Fnjhccnd.exe Fhmpkmpm.exe File opened for modification C:\Windows\SysWOW64\Ibdiln32.exe Ikjapden.exe File created C:\Windows\SysWOW64\Odiekomi.dll Cdicje32.exe File created C:\Windows\SysWOW64\Hjokhh32.dll Jlidkh32.exe File created C:\Windows\SysWOW64\Klpaep32.exe Process not Found File created C:\Windows\SysWOW64\Baaoen32.dll Ibdiln32.exe File opened for modification C:\Windows\SysWOW64\Cabofaaj.exe Cpbbln32.exe File created C:\Windows\SysWOW64\Eknanh32.dll Nfiagd32.exe File created C:\Windows\SysWOW64\Noabkh32.dll Eegqldqg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohmepbki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khmjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiifb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeofoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benoof32.dll" Ijolhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdllffpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becknc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdhhgmj.dll" Bcjlld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpefaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdllffpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibjibg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmalme.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojmda32.dll" Egmjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgmmpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgiojf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhcld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpabho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbecljnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgplai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inpclnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjgcp32.dll" Ajphagha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmcpl32.dll" Lcejmeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdphhoqn.dll" Kmgdaokh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbgge32.dll" Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehfdaje.dll" Kiejfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldajki.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdccf32.dll" Eaonccme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbcbhpn.dll" Mhbmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgoibfd.dll" Gkdaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfhjhdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nifele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgpmdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjmdeij.dll" Phbhlcpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihnci32.dll" Oidopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgopbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekkmhd32.dll" Fpejec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anncek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbaigln.dll" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfhibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgoijppn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmdng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhalcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghpehjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdpdgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laffpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcddlhgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agqekeeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgaelcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flpkcbqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjneikmp.dll" Pmgcoaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1712 4028 09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe 91 PID 4028 wrote to memory of 1712 4028 09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe 91 PID 4028 wrote to memory of 1712 4028 09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe 91 PID 1712 wrote to memory of 4188 1712 Bpjmph32.exe 92 PID 1712 wrote to memory of 4188 1712 Bpjmph32.exe 92 PID 1712 wrote to memory of 4188 1712 Bpjmph32.exe 92 PID 4188 wrote to memory of 1536 4188 Dcibca32.exe 93 PID 4188 wrote to memory of 1536 4188 Dcibca32.exe 93 PID 4188 wrote to memory of 1536 4188 Dcibca32.exe 93 PID 1536 wrote to memory of 4580 1536 Ekqckmfb.exe 94 PID 1536 wrote to memory of 4580 1536 Ekqckmfb.exe 94 PID 1536 wrote to memory of 4580 1536 Ekqckmfb.exe 94 PID 4580 wrote to memory of 224 4580 Fgnjqm32.exe 95 PID 4580 wrote to memory of 224 4580 Fgnjqm32.exe 95 PID 4580 wrote to memory of 224 4580 Fgnjqm32.exe 95 PID 224 wrote to memory of 996 224 Gkoplk32.exe 96 PID 224 wrote to memory of 996 224 Gkoplk32.exe 96 PID 224 wrote to memory of 996 224 Gkoplk32.exe 96 PID 996 wrote to memory of 3724 996 Gcqjal32.exe 97 PID 996 wrote to memory of 3724 996 Gcqjal32.exe 97 PID 996 wrote to memory of 3724 996 Gcqjal32.exe 97 PID 3724 wrote to memory of 4280 3724 Hccggl32.exe 98 PID 3724 wrote to memory of 4280 3724 Hccggl32.exe 98 PID 3724 wrote to memory of 4280 3724 Hccggl32.exe 98 PID 4280 wrote to memory of 4648 4280 Hnkhjdle.exe 99 PID 4280 wrote to memory of 4648 4280 Hnkhjdle.exe 99 PID 4280 wrote to memory of 4648 4280 Hnkhjdle.exe 99 PID 4648 wrote to memory of 2196 4648 Hbknebqi.exe 100 PID 4648 wrote to memory of 2196 4648 Hbknebqi.exe 100 PID 4648 wrote to memory of 2196 4648 Hbknebqi.exe 100 PID 2196 wrote to memory of 1200 2196 Iccpniqp.exe 101 PID 2196 wrote to memory of 1200 2196 Iccpniqp.exe 101 PID 2196 wrote to memory of 1200 2196 Iccpniqp.exe 101 PID 1200 wrote to memory of 4608 1200 Ijpepcfj.exe 102 PID 1200 wrote to memory of 4608 1200 Ijpepcfj.exe 102 PID 1200 wrote to memory of 4608 1200 Ijpepcfj.exe 102 PID 4608 wrote to memory of 2496 4608 Jjdokb32.exe 103 PID 4608 wrote to memory of 2496 4608 Jjdokb32.exe 103 PID 4608 wrote to memory of 2496 4608 Jjdokb32.exe 103 PID 2496 wrote to memory of 3044 2496 Jlfhke32.exe 104 PID 2496 wrote to memory of 3044 2496 Jlfhke32.exe 104 PID 2496 wrote to memory of 3044 2496 Jlfhke32.exe 104 PID 3044 wrote to memory of 3800 3044 Jbbmmo32.exe 105 PID 3044 wrote to memory of 3800 3044 Jbbmmo32.exe 105 PID 3044 wrote to memory of 3800 3044 Jbbmmo32.exe 105 PID 3800 wrote to memory of 2620 3800 Kdhbpf32.exe 106 PID 3800 wrote to memory of 2620 3800 Kdhbpf32.exe 106 PID 3800 wrote to memory of 2620 3800 Kdhbpf32.exe 106 PID 2620 wrote to memory of 4392 2620 Kdmlkfjb.exe 107 PID 2620 wrote to memory of 4392 2620 Kdmlkfjb.exe 107 PID 2620 wrote to memory of 4392 2620 Kdmlkfjb.exe 107 PID 4392 wrote to memory of 1352 4392 Khkdad32.exe 108 PID 4392 wrote to memory of 1352 4392 Khkdad32.exe 108 PID 4392 wrote to memory of 1352 4392 Khkdad32.exe 108 PID 1352 wrote to memory of 4508 1352 Laffpi32.exe 109 PID 1352 wrote to memory of 4508 1352 Laffpi32.exe 109 PID 1352 wrote to memory of 4508 1352 Laffpi32.exe 109 PID 4508 wrote to memory of 3152 4508 Ldfoad32.exe 110 PID 4508 wrote to memory of 3152 4508 Ldfoad32.exe 110 PID 4508 wrote to memory of 3152 4508 Ldfoad32.exe 110 PID 3152 wrote to memory of 4264 3152 Lajokiaa.exe 111 PID 3152 wrote to memory of 4264 3152 Lajokiaa.exe 111 PID 3152 wrote to memory of 4264 3152 Lajokiaa.exe 111 PID 4264 wrote to memory of 2292 4264 Mklfjm32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\09c9b3009fca3b0d308a8f8930671c60_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kdhbpf32.exeC:\Windows\system32\Kdhbpf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Mklfjm32.exeC:\Windows\system32\Mklfjm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe23⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe25⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe26⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe27⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe28⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe29⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe30⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe31⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe32⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe34⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe35⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe37⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe38⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe39⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3708 -
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe41⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe42⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe43⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe45⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe47⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe48⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe49⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe51⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe52⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe54⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe55⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Hcgjhega.exeC:\Windows\system32\Hcgjhega.exe57⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe58⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe59⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe60⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe61⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Ifaepolg.exeC:\Windows\system32\Ifaepolg.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Igqbiacj.exeC:\Windows\system32\Igqbiacj.exe63⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe65⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe66⤵PID:2632
-
C:\Windows\SysWOW64\Jclljaei.exeC:\Windows\system32\Jclljaei.exe67⤵PID:3008
-
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe68⤵PID:2152
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe69⤵PID:5136
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe70⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe71⤵PID:5240
-
C:\Windows\SysWOW64\Kffhakjp.exeC:\Windows\system32\Kffhakjp.exe72⤵PID:5288
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe73⤵PID:5348
-
C:\Windows\SysWOW64\Mmcfkc32.exeC:\Windows\system32\Mmcfkc32.exe74⤵PID:5400
-
C:\Windows\SysWOW64\Mmebpbod.exeC:\Windows\system32\Mmebpbod.exe75⤵PID:5444
-
C:\Windows\SysWOW64\Mkicjgnn.exeC:\Windows\system32\Mkicjgnn.exe76⤵PID:5480
-
C:\Windows\SysWOW64\Meoggpmd.exeC:\Windows\system32\Meoggpmd.exe77⤵PID:5532
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe78⤵PID:5608
-
C:\Windows\SysWOW64\Ndinck32.exeC:\Windows\system32\Ndinck32.exe79⤵PID:5656
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe80⤵PID:5708
-
C:\Windows\SysWOW64\Oojalb32.exeC:\Windows\system32\Oojalb32.exe81⤵
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe82⤵PID:5792
-
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe83⤵PID:5840
-
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe84⤵PID:5892
-
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe85⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Pbfjjlgc.exeC:\Windows\system32\Pbfjjlgc.exe86⤵PID:6000
-
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe87⤵PID:6048
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe88⤵PID:6100
-
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe89⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe91⤵PID:5276
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe93⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe94⤵PID:5516
-
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe95⤵PID:5584
-
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe96⤵PID:5692
-
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe97⤵PID:5784
-
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe98⤵PID:5880
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe99⤵PID:5980
-
C:\Windows\SysWOW64\Becknc32.exeC:\Windows\system32\Becknc32.exe100⤵
- Modifies registry class
PID:6056 -
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe101⤵PID:6128
-
C:\Windows\SysWOW64\Cfbhhfbg.exeC:\Windows\system32\Cfbhhfbg.exe102⤵PID:5248
-
C:\Windows\SysWOW64\Chddpn32.exeC:\Windows\system32\Chddpn32.exe103⤵PID:5376
-
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe104⤵PID:5528
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5648 -
C:\Windows\SysWOW64\Cemndbci.exeC:\Windows\system32\Cemndbci.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5856 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe107⤵PID:5936
-
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe108⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe109⤵PID:5368
-
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe110⤵PID:5636
-
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe111⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Diopep32.exeC:\Windows\system32\Diopep32.exe112⤵PID:5988
-
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe113⤵PID:5864
-
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe114⤵PID:5724
-
C:\Windows\SysWOW64\Eeaqfo32.exeC:\Windows\system32\Eeaqfo32.exe115⤵PID:6108
-
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe116⤵PID:5848
-
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe117⤵PID:5224
-
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe118⤵PID:6140
-
C:\Windows\SysWOW64\Fifomlap.exeC:\Windows\system32\Fifomlap.exe119⤵PID:6156
-
C:\Windows\SysWOW64\Fempbm32.exeC:\Windows\system32\Fempbm32.exe120⤵PID:6200
-
C:\Windows\SysWOW64\Fikihlmj.exeC:\Windows\system32\Fikihlmj.exe121⤵PID:6244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-