Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 08:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe
-
Size
89KB
-
MD5
6aefc52868d520c19e59b29bfed873f0
-
SHA1
0e3a0f7c8ef831475cb5745acf87852b9666f917
-
SHA256
ffa753759893b8acd618153ec461e31430166e85e960955cc185cb733e3e6ae7
-
SHA512
17097b2f98ba1aa1f573eeb70d2b044007240165b28925a446deff2d7ab0a49bdbab709dc53d65a1b36ceb5b19da5a31ebb20e73b45ddc748c74f276917e2f8e
-
SSDEEP
1536:ELoqHS+tBfVydPzbqLpRtz6aDQ4xDuAkb20UMcWlExkg8F:ELhHtBfkR0/gaDQ4IAOOMcWlakgw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfqmfde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foabofnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdehlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbfpobpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcefno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimcebb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkmhlekj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcojh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabkdmpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anbkio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pagdol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmaioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhbgqohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qecppkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooeif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeaikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nilcjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocnjidkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfedle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgfooop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgqeappe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjpckf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagichjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfdia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffgqqaip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anfmjhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbenm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahhblemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Conclk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfqlnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmaioo32.exe -
Executes dropped EXE 64 IoCs
pid Process 4596 Epmcab32.exe 1852 Ebnoikqb.exe 4208 Ejegjh32.exe 2288 Epopgbia.exe 3544 Ebploj32.exe 2472 Ehjdldfl.exe 220 Eqalmafo.exe 4848 Ejjqeg32.exe 1884 Eqciba32.exe 1860 Ecbenm32.exe 1760 Efpajh32.exe 4656 Emjjgbjp.exe 4108 Eoifcnid.exe 5080 Fbgbpihg.exe 332 Fjnjqfij.exe 640 Fmmfmbhn.exe 1188 Fcgoilpj.exe 2548 Ficgacna.exe 3484 Fomonm32.exe 3580 Ffggkgmk.exe 2300 Fifdgblo.exe 4236 Fbnhphbp.exe 316 Ffjdqg32.exe 1936 Fqohnp32.exe 2676 Fbqefhpm.exe 2436 Fqaeco32.exe 2252 Gbcakg32.exe 4460 Gimjhafg.exe 3892 Gmhfhp32.exe 2164 Gfqjafdq.exe 3284 Gmkbnp32.exe 4004 Gcekkjcj.exe 1320 Gmmocpjk.exe 516 Gfedle32.exe 3168 Gqkhjn32.exe 2024 Gfhqbe32.exe 1448 Gmaioo32.exe 4904 Hclakimb.exe 5044 Hjfihc32.exe 2800 Hpbaqj32.exe 2432 Hbanme32.exe 1544 Hjhfnccl.exe 1432 Habnjm32.exe 4824 Hbckbepg.exe 4920 Himcoo32.exe 4500 Hadkpm32.exe 2032 Hbeghene.exe 820 Hfachc32.exe 852 Hippdo32.exe 448 Haggelfd.exe 2832 Hcedaheh.exe 3868 Hfcpncdk.exe 2656 Hmmhjm32.exe 4604 Ipldfi32.exe 1640 Ibjqcd32.exe 3684 Iidipnal.exe 3080 Iakaql32.exe 1692 Ibmmhdhm.exe 4024 Ijdeiaio.exe 3316 Iannfk32.exe 4192 Ipqnahgf.exe 3008 Ijfboafl.exe 3432 Iiibkn32.exe 1496 Ipckgh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eqciba32.exe Ejjqeg32.exe File created C:\Windows\SysWOW64\Hehifldd.dll Kdopod32.exe File created C:\Windows\SysWOW64\Jcioiood.exe Jlbgha32.exe File created C:\Windows\SysWOW64\Kbfiep32.exe Kdcijcke.exe File opened for modification C:\Windows\SysWOW64\Mgghhlhq.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Ilabfj32.dll Blfdia32.exe File created C:\Windows\SysWOW64\Qgppolie.dll Ojaelm32.exe File opened for modification C:\Windows\SysWOW64\Agoabn32.exe Aepefb32.exe File created C:\Windows\SysWOW64\Kjhonjco.dll Pjmlbbdg.exe File opened for modification C:\Windows\SysWOW64\Ecmeig32.exe Ekemhj32.exe File created C:\Windows\SysWOW64\Iifokh32.exe Iblfnn32.exe File created C:\Windows\SysWOW64\Aainof32.dll Eleiam32.exe File created C:\Windows\SysWOW64\Ebkdha32.dll Idofhfmm.exe File created C:\Windows\SysWOW64\Dgifdn32.dll Cdkldb32.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cjkjpgfi.exe File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe Cnnlaehj.exe File opened for modification C:\Windows\SysWOW64\Iicbehnq.exe Ifefimom.exe File opened for modification C:\Windows\SysWOW64\Agjhgngj.exe Acnlgp32.exe File created C:\Windows\SysWOW64\Fbkmec32.dll Jmpngk32.exe File created C:\Windows\SysWOW64\Mmbfpp32.exe Mgimcebb.exe File created C:\Windows\SysWOW64\Ccgldidg.dll Oboaabga.exe File created C:\Windows\SysWOW64\Ojopad32.exe Okloegjl.exe File created C:\Windows\SysWOW64\Lbdcekmm.dll Fbgbpihg.exe File opened for modification C:\Windows\SysWOW64\Paegjl32.exe Pnfkma32.exe File opened for modification C:\Windows\SysWOW64\Jcefno32.exe Jlnnmb32.exe File opened for modification C:\Windows\SysWOW64\Pcncpbmd.exe Pqpgdfnp.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Fqohnp32.exe Ffjdqg32.exe File opened for modification C:\Windows\SysWOW64\Gbcakg32.exe Fqaeco32.exe File created C:\Windows\SysWOW64\Gcimkc32.exe Gomakdcp.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Opocad32.dll Hfcpncdk.exe File created C:\Windows\SysWOW64\Gkhbdg32.exe Glebhjlg.exe File created C:\Windows\SysWOW64\Mgcdak32.dll Hkdbpe32.exe File created C:\Windows\SysWOW64\Lpnlpnih.exe Liddbc32.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Pjmehkqk.exe File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qnkdhpjn.exe File created C:\Windows\SysWOW64\Ncbhll32.dll Hmfkoh32.exe File created C:\Windows\SysWOW64\Pkhoae32.exe Pcagphom.exe File created C:\Windows\SysWOW64\Obfhba32.exe Ojopad32.exe File created C:\Windows\SysWOW64\Kqgmgehp.dll Mmbfpp32.exe File opened for modification C:\Windows\SysWOW64\Jpjqhgol.exe Jiphkm32.exe File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Ddgkpp32.exe Dahode32.exe File created C:\Windows\SysWOW64\Kdcijcke.exe Kmjqmi32.exe File opened for modification C:\Windows\SysWOW64\Dhpjkojk.exe Dccbbhld.exe File opened for modification C:\Windows\SysWOW64\Fchddejl.exe Fomhdg32.exe File created C:\Windows\SysWOW64\Mcplce32.dll Ffggkgmk.exe File created C:\Windows\SysWOW64\Qdldlm32.dll Pnfkma32.exe File opened for modification C:\Windows\SysWOW64\Helfik32.exe Hbnjmp32.exe File created C:\Windows\SysWOW64\Pclgkb32.exe Pmannhhj.exe File created C:\Windows\SysWOW64\Blfiei32.dll Pgllfp32.exe File created C:\Windows\SysWOW64\Kplpjn32.exe Kmncnb32.exe File opened for modification C:\Windows\SysWOW64\Lpnlpnih.exe Liddbc32.exe File opened for modification C:\Windows\SysWOW64\Likjcbkc.exe Lgmngglp.exe File opened for modification C:\Windows\SysWOW64\Mbfkbhpa.exe Lphoelqn.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nddkgonp.exe File opened for modification C:\Windows\SysWOW64\Dhidjpqc.exe Dekhneap.exe File created C:\Windows\SysWOW64\Ijlbqboa.dll Hmcojh32.exe File created C:\Windows\SysWOW64\Fdjlic32.dll Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Ceehho32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Mlmpolji.dll Hcedaheh.exe File created C:\Windows\SysWOW64\Jcefno32.exe Jlnnmb32.exe File opened for modification C:\Windows\SysWOW64\Kmegbjgn.exe Jfkoeppq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12692 12572 WerFault.exe 659 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll" Efpajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnkdhpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkdbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgbon32.dll" Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjpaooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Dhbgqohi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll" Ebnoikqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocalcppo.dll" Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjhfnccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hopnqdan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpaqkn32.dll" Edbklofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kipkhdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggacefk.dll" Ffgqqaip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipdqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajckij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll" Ldohebqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" Dccbbhld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdhmnlcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" Mdkhapfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojopad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chpada32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gimjhafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcekkjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boepel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmkadgpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oboaabga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddpeoafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" Glebhjlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnakhkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpgdbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojjffddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbllbibl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" Chagok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipqnahgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceaehfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflplnlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdhfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcgffqei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebploj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgdbkohf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqkhjn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3956 wrote to memory of 4596 3956 6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe 81 PID 3956 wrote to memory of 4596 3956 6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe 81 PID 3956 wrote to memory of 4596 3956 6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe 81 PID 4596 wrote to memory of 1852 4596 Epmcab32.exe 82 PID 4596 wrote to memory of 1852 4596 Epmcab32.exe 82 PID 4596 wrote to memory of 1852 4596 Epmcab32.exe 82 PID 1852 wrote to memory of 4208 1852 Ebnoikqb.exe 83 PID 1852 wrote to memory of 4208 1852 Ebnoikqb.exe 83 PID 1852 wrote to memory of 4208 1852 Ebnoikqb.exe 83 PID 4208 wrote to memory of 2288 4208 Ejegjh32.exe 84 PID 4208 wrote to memory of 2288 4208 Ejegjh32.exe 84 PID 4208 wrote to memory of 2288 4208 Ejegjh32.exe 84 PID 2288 wrote to memory of 3544 2288 Epopgbia.exe 85 PID 2288 wrote to memory of 3544 2288 Epopgbia.exe 85 PID 2288 wrote to memory of 3544 2288 Epopgbia.exe 85 PID 3544 wrote to memory of 2472 3544 Ebploj32.exe 86 PID 3544 wrote to memory of 2472 3544 Ebploj32.exe 86 PID 3544 wrote to memory of 2472 3544 Ebploj32.exe 86 PID 2472 wrote to memory of 220 2472 Ehjdldfl.exe 87 PID 2472 wrote to memory of 220 2472 Ehjdldfl.exe 87 PID 2472 wrote to memory of 220 2472 Ehjdldfl.exe 87 PID 220 wrote to memory of 4848 220 Eqalmafo.exe 88 PID 220 wrote to memory of 4848 220 Eqalmafo.exe 88 PID 220 wrote to memory of 4848 220 Eqalmafo.exe 88 PID 4848 wrote to memory of 1884 4848 Ejjqeg32.exe 89 PID 4848 wrote to memory of 1884 4848 Ejjqeg32.exe 89 PID 4848 wrote to memory of 1884 4848 Ejjqeg32.exe 89 PID 1884 wrote to memory of 1860 1884 Eqciba32.exe 90 PID 1884 wrote to memory of 1860 1884 Eqciba32.exe 90 PID 1884 wrote to memory of 1860 1884 Eqciba32.exe 90 PID 1860 wrote to memory of 1760 1860 Ecbenm32.exe 91 PID 1860 wrote to memory of 1760 1860 Ecbenm32.exe 91 PID 1860 wrote to memory of 1760 1860 Ecbenm32.exe 91 PID 1760 wrote to memory of 4656 1760 Efpajh32.exe 92 PID 1760 wrote to memory of 4656 1760 Efpajh32.exe 92 PID 1760 wrote to memory of 4656 1760 Efpajh32.exe 92 PID 4656 wrote to memory of 4108 4656 Emjjgbjp.exe 93 PID 4656 wrote to memory of 4108 4656 Emjjgbjp.exe 93 PID 4656 wrote to memory of 4108 4656 Emjjgbjp.exe 93 PID 4108 wrote to memory of 5080 4108 Eoifcnid.exe 94 PID 4108 wrote to memory of 5080 4108 Eoifcnid.exe 94 PID 4108 wrote to memory of 5080 4108 Eoifcnid.exe 94 PID 5080 wrote to memory of 332 5080 Fbgbpihg.exe 95 PID 5080 wrote to memory of 332 5080 Fbgbpihg.exe 95 PID 5080 wrote to memory of 332 5080 Fbgbpihg.exe 95 PID 332 wrote to memory of 640 332 Fjnjqfij.exe 97 PID 332 wrote to memory of 640 332 Fjnjqfij.exe 97 PID 332 wrote to memory of 640 332 Fjnjqfij.exe 97 PID 640 wrote to memory of 1188 640 Fmmfmbhn.exe 98 PID 640 wrote to memory of 1188 640 Fmmfmbhn.exe 98 PID 640 wrote to memory of 1188 640 Fmmfmbhn.exe 98 PID 1188 wrote to memory of 2548 1188 Fcgoilpj.exe 100 PID 1188 wrote to memory of 2548 1188 Fcgoilpj.exe 100 PID 1188 wrote to memory of 2548 1188 Fcgoilpj.exe 100 PID 2548 wrote to memory of 3484 2548 Ficgacna.exe 101 PID 2548 wrote to memory of 3484 2548 Ficgacna.exe 101 PID 2548 wrote to memory of 3484 2548 Ficgacna.exe 101 PID 3484 wrote to memory of 3580 3484 Fomonm32.exe 102 PID 3484 wrote to memory of 3580 3484 Fomonm32.exe 102 PID 3484 wrote to memory of 3580 3484 Fomonm32.exe 102 PID 3580 wrote to memory of 2300 3580 Ffggkgmk.exe 103 PID 3580 wrote to memory of 2300 3580 Ffggkgmk.exe 103 PID 3580 wrote to memory of 2300 3580 Ffggkgmk.exe 103 PID 2300 wrote to memory of 4236 2300 Fifdgblo.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6aefc52868d520c19e59b29bfed873f0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe23⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe25⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe26⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe28⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe30⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe31⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe32⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe34⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe39⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe40⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe41⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe42⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe44⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe45⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe46⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe47⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe48⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe49⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Hippdo32.exeC:\Windows\system32\Hippdo32.exe50⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe51⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe54⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe55⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe57⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe58⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe59⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe60⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe61⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe63⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe64⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe65⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe66⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe67⤵PID:3216
-
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe68⤵PID:2796
-
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe69⤵PID:4556
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe70⤵PID:1368
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe71⤵PID:1240
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe72⤵PID:4924
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe73⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4264 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe75⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe76⤵PID:3760
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe77⤵PID:4204
-
C:\Windows\SysWOW64\Jfdida32.exeC:\Windows\system32\Jfdida32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe80⤵PID:1268
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe81⤵PID:2416
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe82⤵PID:5020
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe83⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe85⤵PID:4404
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe87⤵PID:3196
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe88⤵PID:396
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe89⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe90⤵PID:1548
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe91⤵PID:2488
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe92⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe93⤵PID:3932
-
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe94⤵PID:3532
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe95⤵PID:1116
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe96⤵
- Drops file in System32 directory
PID:4056 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe97⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe98⤵PID:5180
-
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe99⤵PID:5224
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5260 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe101⤵PID:5308
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe102⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe103⤵PID:5396
-
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe104⤵PID:5440
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe105⤵PID:5480
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe106⤵PID:5528
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe107⤵PID:5564
-
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe108⤵PID:5612
-
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe110⤵PID:5700
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe111⤵PID:5744
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe112⤵PID:5788
-
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe113⤵PID:5832
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe114⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe115⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe117⤵PID:6016
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe120⤵PID:2504
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe121⤵PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-