Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe
-
Size
80KB
-
MD5
c4f2cc8d8b6b7526b9c223490175ca00
-
SHA1
39fd2d5e9e573a8d25a8573778f1ddf6a20724d2
-
SHA256
22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522
-
SHA512
09e0c6f2516cc2af0ef50c960b6c6f56c2ceb65dfca8e8dba373a51666bbfbf71f6a50a564cc25a23d8cb0f16a9db5fd42dccd67cf625166e19e32efbae913a1
-
SSDEEP
1536:PqIKLMlkmXoR8veDpA+2+2LMaIZTJ+7LhkiB0:PjKLxm4IedA+CMaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdbcano.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgddhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obidhaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjcdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckbqpnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peljol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjpiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edihepnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnpmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniajnnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhfhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhdil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaedkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojaelm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojaelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfmke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgallfcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffddka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifllil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgipldd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imakkfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajadlja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klljnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe -
Executes dropped EXE 64 IoCs
pid Process 3212 Gjclbc32.exe 4024 Gifmnpnl.exe 1568 Gameonno.exe 1400 Gppekj32.exe 1644 Hboagf32.exe 4680 Hmdedo32.exe 4584 Hpbaqj32.exe 4908 Hbanme32.exe 372 Hjhfnccl.exe 1800 Habnjm32.exe 5068 Hcqjfh32.exe 4700 Hjjbcbqj.exe 3108 Hmioonpn.exe 2192 Hccglh32.exe 468 Hjmoibog.exe 3944 Hmklen32.exe 1060 Hpihai32.exe 1772 Hfcpncdk.exe 1852 Hibljoco.exe 4204 Haidklda.exe 1340 Ibjqcd32.exe 2976 Iakaql32.exe 1488 Ibmmhdhm.exe 3912 Imbaemhc.exe 2868 Icljbg32.exe 220 Ijfboafl.exe 4728 Ipckgh32.exe 3672 Ibagcc32.exe 4336 Ifmcdblq.exe 3692 Imgkql32.exe 4444 Ipegmg32.exe 4920 Ifopiajn.exe 4212 Imihfl32.exe 1220 Jbfpobpb.exe 4708 Jiphkm32.exe 4060 Jpjqhgol.exe 3964 Jbhmdbnp.exe 2292 Jjpeepnb.exe 3800 Jmnaakne.exe 904 Jplmmfmi.exe 224 Jdhine32.exe 2368 Jfffjqdf.exe 1236 Jjbako32.exe 5060 Jaljgidl.exe 2188 Jpojcf32.exe 4956 Jbmfoa32.exe 2636 Jkdnpo32.exe 3688 Jpaghf32.exe 1732 Jbocea32.exe 4440 Jiikak32.exe 1900 Kmegbjgn.exe 2956 Kdopod32.exe 376 Kgmlkp32.exe 2644 Kkihknfg.exe 3252 Kmgdgjek.exe 1828 Kpepcedo.exe 3480 Kgphpo32.exe 4716 Kkkdan32.exe 3248 Kmjqmi32.exe 464 Kaemnhla.exe 4900 Kdcijcke.exe 2228 Kbfiep32.exe 2440 Kgbefoji.exe 3224 Kipabjil.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ippggbck.exe Imakkfdg.exe File opened for modification C:\Windows\SysWOW64\Kdcbom32.exe Klljnp32.exe File opened for modification C:\Windows\SysWOW64\Hbnjmp32.exe Hopnqdan.exe File created C:\Windows\SysWOW64\Jnmkhg32.dll Ojalgcnd.exe File created C:\Windows\SysWOW64\Hlfofiig.dll Ncfdie32.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Gbgdlq32.exe Gmjlcj32.exe File created C:\Windows\SysWOW64\Gdhmnlcj.exe Gbiaapdf.exe File opened for modification C:\Windows\SysWOW64\Fkalchij.exe Fhcpgmjf.exe File created C:\Windows\SysWOW64\Bmkjkd32.exe Bjmnoi32.exe File opened for modification C:\Windows\SysWOW64\Bbifelba.exe Bnnjen32.exe File created C:\Windows\SysWOW64\Epogol32.dll Pcccfh32.exe File opened for modification C:\Windows\SysWOW64\Qnnanphk.exe Qgciaf32.exe File created C:\Windows\SysWOW64\Bgdpie32.dll Bbgipldd.exe File opened for modification C:\Windows\SysWOW64\Baocghgi.exe Bopgjmhe.exe File opened for modification C:\Windows\SysWOW64\Bhkhibmc.exe Baaplhef.exe File created C:\Windows\SysWOW64\Mkoqfnpl.dll Jfhlejnh.exe File created C:\Windows\SysWOW64\Mbpfgbfp.dll Ajfhnjhq.exe File opened for modification C:\Windows\SysWOW64\Pghieg32.exe Pjdilcla.exe File created C:\Windows\SysWOW64\Cjinkg32.exe Chjaol32.exe File opened for modification C:\Windows\SysWOW64\Andqdh32.exe Ajhddjfn.exe File created C:\Windows\SysWOW64\Khehmdgi.dll Lilanioo.exe File created C:\Windows\SysWOW64\Iikhfg32.exe Ifllil32.exe File created C:\Windows\SysWOW64\Lllcen32.exe Lmiciaaj.exe File opened for modification C:\Windows\SysWOW64\Ndcdmikd.exe Nlmllkja.exe File created C:\Windows\SysWOW64\Qffbbldm.exe Qgcbgo32.exe File created C:\Windows\SysWOW64\Bgehcmmm.exe Bcjlcn32.exe File created C:\Windows\SysWOW64\Fcnopdeh.dll Fdlnbm32.exe File opened for modification C:\Windows\SysWOW64\Dlgmpogj.exe Demecd32.exe File created C:\Windows\SysWOW64\Pjoheljj.dll Pkhoae32.exe File created C:\Windows\SysWOW64\Libddmim.dll Bnnjen32.exe File opened for modification C:\Windows\SysWOW64\Baaplhef.exe Bjghpn32.exe File created C:\Windows\SysWOW64\Kpjgop32.dll Eleiam32.exe File created C:\Windows\SysWOW64\Amhpcomb.dll Liimncmf.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe File created C:\Windows\SysWOW64\Eeecjqkd.dll Kgdbkohf.exe File created C:\Windows\SysWOW64\Occkojkm.exe Oqdoboli.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Mipcob32.exe Mbfkbhpa.exe File created C:\Windows\SysWOW64\Hddeok32.dll Npjebj32.exe File created C:\Windows\SysWOW64\Pnnaog32.dll Okloegjl.exe File created C:\Windows\SysWOW64\Ekemhj32.exe Eeidoc32.exe File opened for modification C:\Windows\SysWOW64\Hcqjfh32.exe Habnjm32.exe File created C:\Windows\SysWOW64\Jiikak32.exe Jbocea32.exe File opened for modification C:\Windows\SysWOW64\Ajdbcano.exe Agffge32.exe File created C:\Windows\SysWOW64\Egdmkp32.dll Clkndpag.exe File created C:\Windows\SysWOW64\Pniggbmk.dll Dlncan32.exe File created C:\Windows\SysWOW64\Chmhoe32.dll Oneklm32.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cabfga32.exe File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Gmlgol32.dll Jpaghf32.exe File opened for modification C:\Windows\SysWOW64\Pkfblfab.exe Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Pdfjifjo.exe Pqknig32.exe File opened for modification C:\Windows\SysWOW64\Pcppfaka.exe Pdmpje32.exe File opened for modification C:\Windows\SysWOW64\Cagobalc.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Ffpmlcim.dll Cjpckf32.exe File created C:\Windows\SysWOW64\Fklfdo32.dll Ondeac32.exe File created C:\Windows\SysWOW64\Aaepqjpd.exe Alhhhcal.exe File opened for modification C:\Windows\SysWOW64\Hcbpab32.exe Himldi32.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jbhmdbnp.exe File opened for modification C:\Windows\SysWOW64\Lilanioo.exe Lkiqbl32.exe File created C:\Windows\SysWOW64\Mjcgohig.exe Mkpgck32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12948 12696 WerFault.exe 655 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll" Baicac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbaemhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemnjbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll" Kikame32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll" Kkkdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhkffjm.dll" Chdkoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdialn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfoafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeiofcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdbkohf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecenn32.dll" Doeiljfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" Lpebpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndgjk32.dll" Iikhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdffocib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imoneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkepnjng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieakglmn.dll" Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcdmikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdcbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjagjhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baaplhef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" Ncianepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kipabjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" Bebblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpijp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkedibe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" Ifmcdblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghopckpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbifelba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgehcmmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echmafdm.dll" Occkojkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klohppck.dll" Chmeobkq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 3212 2128 22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe 83 PID 2128 wrote to memory of 3212 2128 22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe 83 PID 2128 wrote to memory of 3212 2128 22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe 83 PID 3212 wrote to memory of 4024 3212 Gjclbc32.exe 84 PID 3212 wrote to memory of 4024 3212 Gjclbc32.exe 84 PID 3212 wrote to memory of 4024 3212 Gjclbc32.exe 84 PID 4024 wrote to memory of 1568 4024 Gifmnpnl.exe 85 PID 4024 wrote to memory of 1568 4024 Gifmnpnl.exe 85 PID 4024 wrote to memory of 1568 4024 Gifmnpnl.exe 85 PID 1568 wrote to memory of 1400 1568 Gameonno.exe 86 PID 1568 wrote to memory of 1400 1568 Gameonno.exe 86 PID 1568 wrote to memory of 1400 1568 Gameonno.exe 86 PID 1400 wrote to memory of 1644 1400 Gppekj32.exe 87 PID 1400 wrote to memory of 1644 1400 Gppekj32.exe 87 PID 1400 wrote to memory of 1644 1400 Gppekj32.exe 87 PID 1644 wrote to memory of 4680 1644 Hboagf32.exe 88 PID 1644 wrote to memory of 4680 1644 Hboagf32.exe 88 PID 1644 wrote to memory of 4680 1644 Hboagf32.exe 88 PID 4680 wrote to memory of 4584 4680 Hmdedo32.exe 89 PID 4680 wrote to memory of 4584 4680 Hmdedo32.exe 89 PID 4680 wrote to memory of 4584 4680 Hmdedo32.exe 89 PID 4584 wrote to memory of 4908 4584 Hpbaqj32.exe 90 PID 4584 wrote to memory of 4908 4584 Hpbaqj32.exe 90 PID 4584 wrote to memory of 4908 4584 Hpbaqj32.exe 90 PID 4908 wrote to memory of 372 4908 Hbanme32.exe 91 PID 4908 wrote to memory of 372 4908 Hbanme32.exe 91 PID 4908 wrote to memory of 372 4908 Hbanme32.exe 91 PID 372 wrote to memory of 1800 372 Hjhfnccl.exe 92 PID 372 wrote to memory of 1800 372 Hjhfnccl.exe 92 PID 372 wrote to memory of 1800 372 Hjhfnccl.exe 92 PID 1800 wrote to memory of 5068 1800 Habnjm32.exe 93 PID 1800 wrote to memory of 5068 1800 Habnjm32.exe 93 PID 1800 wrote to memory of 5068 1800 Habnjm32.exe 93 PID 5068 wrote to memory of 4700 5068 Hcqjfh32.exe 94 PID 5068 wrote to memory of 4700 5068 Hcqjfh32.exe 94 PID 5068 wrote to memory of 4700 5068 Hcqjfh32.exe 94 PID 4700 wrote to memory of 3108 4700 Hjjbcbqj.exe 95 PID 4700 wrote to memory of 3108 4700 Hjjbcbqj.exe 95 PID 4700 wrote to memory of 3108 4700 Hjjbcbqj.exe 95 PID 3108 wrote to memory of 2192 3108 Hmioonpn.exe 96 PID 3108 wrote to memory of 2192 3108 Hmioonpn.exe 96 PID 3108 wrote to memory of 2192 3108 Hmioonpn.exe 96 PID 2192 wrote to memory of 468 2192 Hccglh32.exe 97 PID 2192 wrote to memory of 468 2192 Hccglh32.exe 97 PID 2192 wrote to memory of 468 2192 Hccglh32.exe 97 PID 468 wrote to memory of 3944 468 Hjmoibog.exe 98 PID 468 wrote to memory of 3944 468 Hjmoibog.exe 98 PID 468 wrote to memory of 3944 468 Hjmoibog.exe 98 PID 3944 wrote to memory of 1060 3944 Hmklen32.exe 99 PID 3944 wrote to memory of 1060 3944 Hmklen32.exe 99 PID 3944 wrote to memory of 1060 3944 Hmklen32.exe 99 PID 1060 wrote to memory of 1772 1060 Hpihai32.exe 100 PID 1060 wrote to memory of 1772 1060 Hpihai32.exe 100 PID 1060 wrote to memory of 1772 1060 Hpihai32.exe 100 PID 1772 wrote to memory of 1852 1772 Hfcpncdk.exe 101 PID 1772 wrote to memory of 1852 1772 Hfcpncdk.exe 101 PID 1772 wrote to memory of 1852 1772 Hfcpncdk.exe 101 PID 1852 wrote to memory of 4204 1852 Hibljoco.exe 103 PID 1852 wrote to memory of 4204 1852 Hibljoco.exe 103 PID 1852 wrote to memory of 4204 1852 Hibljoco.exe 103 PID 4204 wrote to memory of 1340 4204 Haidklda.exe 104 PID 4204 wrote to memory of 1340 4204 Haidklda.exe 104 PID 4204 wrote to memory of 1340 4204 Haidklda.exe 104 PID 1340 wrote to memory of 2976 1340 Ibjqcd32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\22a726ad02e2169c532e125df89cf73b709f1be4b445cdcbe6c58700fd307522_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Habnjm32.exeC:\Windows\system32\Habnjm32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe23⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe26⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe28⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe29⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe31⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Ipegmg32.exeC:\Windows\system32\Ipegmg32.exe32⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe33⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe35⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe36⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe37⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe39⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe40⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe41⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe42⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe43⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe44⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe45⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe47⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe48⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe51⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe52⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe53⤵PID:4340
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe55⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe57⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe58⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Kgphpo32.exeC:\Windows\system32\Kgphpo32.exe59⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe61⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Kaemnhla.exeC:\Windows\system32\Kaemnhla.exe62⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe63⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe64⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe65⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe67⤵
- Modifies registry class
PID:3580 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe68⤵PID:4332
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3632 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe71⤵PID:2812
-
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3128 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe74⤵PID:840
-
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3816 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe76⤵PID:1484
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe77⤵PID:1992
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe78⤵PID:3520
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe79⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe80⤵PID:4960
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe81⤵
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe82⤵PID:1192
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe83⤵PID:3760
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe84⤵PID:4120
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe85⤵PID:1712
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe86⤵PID:2552
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe87⤵PID:2724
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe88⤵PID:3924
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe89⤵PID:1584
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe90⤵
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe91⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe92⤵PID:5132
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe93⤵PID:5176
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe94⤵PID:5220
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe95⤵PID:5260
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe96⤵PID:5300
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe97⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe98⤵PID:5384
-
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe99⤵PID:5436
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe101⤵
- Modifies registry class
PID:5520 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe102⤵PID:5564
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe103⤵PID:5608
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe104⤵PID:5644
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe105⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe106⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe107⤵PID:5780
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe108⤵PID:5824
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe109⤵PID:5872
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe110⤵PID:5908
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe111⤵PID:5960
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe112⤵PID:6000
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe113⤵PID:6044
-
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe114⤵PID:6084
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe116⤵
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe117⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe118⤵PID:5284
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe119⤵PID:5380
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe120⤵PID:5444
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe121⤵PID:5512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-