Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 02:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe
-
Size
386KB
-
MD5
f2a4dba88b627fda41fae8c3b700fa20
-
SHA1
f622d06a61570adf6cdcd02f9c0fd632e3859466
-
SHA256
6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f
-
SHA512
7c853e92fb8ea17e5583f1408b13858b54bb0c6c3d6a4b0b22c092599af3c8984f7740f3ff23143de706570f3034af95e6946b34f49d2790a8c0a62861637c5b
-
SSDEEP
12288:m8V6wQZ7287xmPFRkfJg9qwQZ7287xmP:lMZZ/aFKm9qZZ/a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjipmoai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljoboloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmifkecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fempbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peempn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anncek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpnkdfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqhphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkilbni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjcfgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lndfchdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojjcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogbbqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllcfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbnopbdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgillpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oakjnnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okqbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcehejic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beoimjce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddilh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akgjnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aadghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqebaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbapoqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpandm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fblpflfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abpmpkoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnboma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjfkcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enopghee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemeoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqfolqna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpmcmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdbjleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahpee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phbolflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oheienli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobmmoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhppik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdlncn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enedio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehmibdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkjjfkcm.exe -
Executes dropped EXE 64 IoCs
pid Process 4044 Eeelnp32.exe 1532 Fnipbc32.exe 1980 Gfjkjo32.exe 2148 Jcanll32.exe 4024 Jnlkedai.exe 1824 Kckqbj32.exe 3192 Lnldla32.exe 4340 Ljceqb32.exe 2204 Mqafhl32.exe 4560 Moipoh32.exe 3608 Mmmqhl32.exe 3092 Nnojho32.exe 1388 Ncnofeof.exe 4684 Ngndaccj.exe 1136 Ocgbld32.exe 4892 Opqofe32.exe 3416 Ofmdio32.exe 1332 Pjmjdm32.exe 2308 Pjbcplpe.exe 1620 Akkffkhk.exe 2336 Apjkcadp.exe 1180 Akblfj32.exe 4908 Bmeandma.exe 4212 Bgbpaipl.exe 2152 Bajqda32.exe 2216 Chiblk32.exe 4416 Coegoe32.exe 944 Ddgibkpc.exe 2680 Doagjc32.exe 2880 Edbiniff.exe 1160 Eojiqb32.exe 1804 Edionhpn.exe 4620 Fqppci32.exe 4816 Fdnhih32.exe 4376 Fbbicl32.exe 3524 Finnef32.exe 4172 Fnkfmm32.exe 2448 Fgcjfbed.exe 1012 Gkaclqkk.exe 3588 Gghdaa32.exe 2548 Geldkfpi.exe 4108 Glhimp32.exe 4760 Ghojbq32.exe 4400 Hecjke32.exe 2164 Hhdcmp32.exe 2916 Hbldphde.exe 4668 Ilfennic.exe 4136 Iacngdgj.exe 3592 Iogopi32.exe 3824 Ipgkjlmg.exe 4700 Ibgdlg32.exe 616 Ipkdek32.exe 2472 Jaonbc32.exe 1688 Jbojlfdp.exe 3368 Jpbjfjci.exe 4312 Johggfha.exe 2340 Jllhpkfk.exe 1676 Klndfj32.exe 2248 Kbhmbdle.exe 464 Keifdpif.exe 568 Kapfiqoj.exe 4912 Kocgbend.exe 2760 Kpccmhdg.exe 1372 Lohqnd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Glhimp32.exe File opened for modification C:\Windows\SysWOW64\Falcli32.exe Fkbkoo32.exe File opened for modification C:\Windows\SysWOW64\Dpmcmf32.exe Dickplko.exe File opened for modification C:\Windows\SysWOW64\Hcaibo32.exe Gledpe32.exe File created C:\Windows\SysWOW64\Miagbi32.dll Cejjdlap.exe File created C:\Windows\SysWOW64\Hfgohepp.dll Flmonbbp.exe File opened for modification C:\Windows\SysWOW64\Bqkigp32.exe Anmmkd32.exe File opened for modification C:\Windows\SysWOW64\Bjkcqdje.exe Biigildg.exe File opened for modification C:\Windows\SysWOW64\Fhiinbdo.exe Fblpflfg.exe File opened for modification C:\Windows\SysWOW64\Fhkecb32.exe Faamghko.exe File created C:\Windows\SysWOW64\Finnef32.exe Fbbicl32.exe File opened for modification C:\Windows\SysWOW64\Afceko32.exe Aimhmkgn.exe File created C:\Windows\SysWOW64\Qpiidi32.dll Bblcfo32.exe File opened for modification C:\Windows\SysWOW64\Dpjompqc.exe Dmifkecb.exe File created C:\Windows\SysWOW64\Kapfiqoj.exe Keifdpif.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Namnmp32.exe File created C:\Windows\SysWOW64\Pojjcp32.exe Pdeffgff.exe File created C:\Windows\SysWOW64\Jhcmbm32.exe Jokiig32.exe File opened for modification C:\Windows\SysWOW64\Geabbfoc.exe Gogjflhf.exe File created C:\Windows\SysWOW64\Egfolf32.dll Lpdefc32.exe File created C:\Windows\SysWOW64\Eilfldoi.exe Eennefib.exe File opened for modification C:\Windows\SysWOW64\Namnmp32.exe Nggjog32.exe File created C:\Windows\SysWOW64\Hkchqpgd.dll Qbmpjkqk.exe File opened for modification C:\Windows\SysWOW64\Cpipkl32.exe Bpfcelml.exe File created C:\Windows\SysWOW64\Cihckfoa.dll Ohaokbfd.exe File created C:\Windows\SysWOW64\Lnojqbjp.dll Cicjokll.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Cgjcfgoa.exe File created C:\Windows\SysWOW64\Kfejmobh.exe Kokbpe32.exe File created C:\Windows\SysWOW64\Ljnakk32.dll Jaemilci.exe File created C:\Windows\SysWOW64\Haaggn32.dll Bfoegm32.exe File created C:\Windows\SysWOW64\Mpnngh32.exe Ldgnbg32.exe File created C:\Windows\SysWOW64\Ggmdggnj.dll Okkalnjm.exe File opened for modification C:\Windows\SysWOW64\Mohidbkl.exe Mlhqcgnk.exe File opened for modification C:\Windows\SysWOW64\Cmbgdl32.exe Cdhffg32.exe File created C:\Windows\SysWOW64\Jjonchmn.dll Nchhfild.exe File opened for modification C:\Windows\SysWOW64\Fempbm32.exe Fochecog.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Akkffkhk.exe File created C:\Windows\SysWOW64\Afdmjk32.dll Kanbjn32.exe File created C:\Windows\SysWOW64\Igehifaa.dll Npjnbg32.exe File created C:\Windows\SysWOW64\Ikmpcicg.exe Ijkdkq32.exe File created C:\Windows\SysWOW64\Fnkfmm32.exe Finnef32.exe File created C:\Windows\SysWOW64\Emnhomim.dll Moalil32.exe File created C:\Windows\SysWOW64\Mhmcck32.exe Mehafq32.exe File opened for modification C:\Windows\SysWOW64\Cbqonf32.exe Cemndbci.exe File created C:\Windows\SysWOW64\Mjdbda32.exe Mpnngh32.exe File created C:\Windows\SysWOW64\Gkaclqkk.exe Fgcjfbed.exe File opened for modification C:\Windows\SysWOW64\Keifdpif.exe Kbhmbdle.exe File created C:\Windows\SysWOW64\Odanidih.dll Enopghee.exe File created C:\Windows\SysWOW64\Pfjhdhal.dll Edakimoo.exe File opened for modification C:\Windows\SysWOW64\Fibfbm32.exe Epiaig32.exe File created C:\Windows\SysWOW64\Paomog32.exe Oalpigkb.exe File opened for modification C:\Windows\SysWOW64\Jllhpkfk.exe Johggfha.exe File opened for modification C:\Windows\SysWOW64\Acppddig.exe Aijlgkjq.exe File created C:\Windows\SysWOW64\Kjmjgk32.exe Jnfjbj32.exe File created C:\Windows\SysWOW64\Bbniai32.exe Bbklli32.exe File opened for modification C:\Windows\SysWOW64\Kicfijal.exe Kfejmobh.exe File created C:\Windows\SysWOW64\Coegoe32.exe Chiblk32.exe File created C:\Windows\SysWOW64\Enlcahgh.exe Ecgodpgb.exe File opened for modification C:\Windows\SysWOW64\Dnienqbi.exe Dgomaf32.exe File opened for modification C:\Windows\SysWOW64\Gogjflhf.exe Ghmbib32.exe File created C:\Windows\SysWOW64\Mopabjci.dll Ijkdkq32.exe File opened for modification C:\Windows\SysWOW64\Komoed32.exe Kicfijal.exe File opened for modification C:\Windows\SysWOW64\Cdhffg32.exe Bgdemb32.exe File created C:\Windows\SysWOW64\Miiepfpf.dll Oheienli.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6316 10840 WerFault.exe 611 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcabhido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll" Fnjocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepbfj32.dll" Mpqklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdiqnel.dll" Bnoiqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Ehklmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hebkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdnhih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" Fkgillpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agccao32.dll" Bpbpecen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgpibdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajodef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Janghmia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfjkmma.dll" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmepcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blobgill.dll" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omlkmign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deqqek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaonbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll" Dpmcmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jelhcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehmibdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheopk32.dll" Focakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlkplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll" Ghojbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kapfiqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oheienli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcbdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfpcj32.dll" Ghdhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhqqlmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll" Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maaekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqdbfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odbpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oddmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpflhb32.dll" Onmahojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lohqnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okmpqjad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqiibcbk.dll" Jomeoggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhalmkbm.dll" Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlbllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdjqkoj.dll" Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll" Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfloio32.dll" Opmcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoino32.dll" Bdlncn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmepcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfonnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpooenf.dll" Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohaokbfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4188 wrote to memory of 4044 4188 6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 4044 4188 6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe 91 PID 4188 wrote to memory of 4044 4188 6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe 91 PID 4044 wrote to memory of 1532 4044 Eeelnp32.exe 92 PID 4044 wrote to memory of 1532 4044 Eeelnp32.exe 92 PID 4044 wrote to memory of 1532 4044 Eeelnp32.exe 92 PID 1532 wrote to memory of 1980 1532 Fnipbc32.exe 93 PID 1532 wrote to memory of 1980 1532 Fnipbc32.exe 93 PID 1532 wrote to memory of 1980 1532 Fnipbc32.exe 93 PID 1980 wrote to memory of 2148 1980 Gfjkjo32.exe 94 PID 1980 wrote to memory of 2148 1980 Gfjkjo32.exe 94 PID 1980 wrote to memory of 2148 1980 Gfjkjo32.exe 94 PID 2148 wrote to memory of 4024 2148 Jcanll32.exe 95 PID 2148 wrote to memory of 4024 2148 Jcanll32.exe 95 PID 2148 wrote to memory of 4024 2148 Jcanll32.exe 95 PID 4024 wrote to memory of 1824 4024 Jnlkedai.exe 96 PID 4024 wrote to memory of 1824 4024 Jnlkedai.exe 96 PID 4024 wrote to memory of 1824 4024 Jnlkedai.exe 96 PID 1824 wrote to memory of 3192 1824 Kckqbj32.exe 97 PID 1824 wrote to memory of 3192 1824 Kckqbj32.exe 97 PID 1824 wrote to memory of 3192 1824 Kckqbj32.exe 97 PID 3192 wrote to memory of 4340 3192 Lnldla32.exe 98 PID 3192 wrote to memory of 4340 3192 Lnldla32.exe 98 PID 3192 wrote to memory of 4340 3192 Lnldla32.exe 98 PID 4340 wrote to memory of 2204 4340 Ljceqb32.exe 99 PID 4340 wrote to memory of 2204 4340 Ljceqb32.exe 99 PID 4340 wrote to memory of 2204 4340 Ljceqb32.exe 99 PID 2204 wrote to memory of 4560 2204 Mqafhl32.exe 100 PID 2204 wrote to memory of 4560 2204 Mqafhl32.exe 100 PID 2204 wrote to memory of 4560 2204 Mqafhl32.exe 100 PID 4560 wrote to memory of 3608 4560 Moipoh32.exe 101 PID 4560 wrote to memory of 3608 4560 Moipoh32.exe 101 PID 4560 wrote to memory of 3608 4560 Moipoh32.exe 101 PID 3608 wrote to memory of 3092 3608 Mmmqhl32.exe 102 PID 3608 wrote to memory of 3092 3608 Mmmqhl32.exe 102 PID 3608 wrote to memory of 3092 3608 Mmmqhl32.exe 102 PID 3092 wrote to memory of 1388 3092 Nnojho32.exe 103 PID 3092 wrote to memory of 1388 3092 Nnojho32.exe 103 PID 3092 wrote to memory of 1388 3092 Nnojho32.exe 103 PID 1388 wrote to memory of 4684 1388 Ncnofeof.exe 104 PID 1388 wrote to memory of 4684 1388 Ncnofeof.exe 104 PID 1388 wrote to memory of 4684 1388 Ncnofeof.exe 104 PID 4684 wrote to memory of 1136 4684 Ngndaccj.exe 105 PID 4684 wrote to memory of 1136 4684 Ngndaccj.exe 105 PID 4684 wrote to memory of 1136 4684 Ngndaccj.exe 105 PID 1136 wrote to memory of 4892 1136 Ocgbld32.exe 106 PID 1136 wrote to memory of 4892 1136 Ocgbld32.exe 106 PID 1136 wrote to memory of 4892 1136 Ocgbld32.exe 106 PID 4892 wrote to memory of 3416 4892 Opqofe32.exe 107 PID 4892 wrote to memory of 3416 4892 Opqofe32.exe 107 PID 4892 wrote to memory of 3416 4892 Opqofe32.exe 107 PID 3416 wrote to memory of 1332 3416 Ofmdio32.exe 108 PID 3416 wrote to memory of 1332 3416 Ofmdio32.exe 108 PID 3416 wrote to memory of 1332 3416 Ofmdio32.exe 108 PID 1332 wrote to memory of 2308 1332 Pjmjdm32.exe 109 PID 1332 wrote to memory of 2308 1332 Pjmjdm32.exe 109 PID 1332 wrote to memory of 2308 1332 Pjmjdm32.exe 109 PID 2308 wrote to memory of 1620 2308 Pjbcplpe.exe 110 PID 2308 wrote to memory of 1620 2308 Pjbcplpe.exe 110 PID 2308 wrote to memory of 1620 2308 Pjbcplpe.exe 110 PID 1620 wrote to memory of 2336 1620 Akkffkhk.exe 111 PID 1620 wrote to memory of 2336 1620 Akkffkhk.exe 111 PID 1620 wrote to memory of 2336 1620 Akkffkhk.exe 111 PID 2336 wrote to memory of 1180 2336 Apjkcadp.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a8ea6b2eb7447bb50f148444fd73b6ac4021517e4cf911dccba496b2fe4ea9f_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Nnojho32.exeC:\Windows\system32\Nnojho32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Opqofe32.exeC:\Windows\system32\Opqofe32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Bmeandma.exeC:\Windows\system32\Bmeandma.exe24⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe25⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe26⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Chiblk32.exeC:\Windows\system32\Chiblk32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe28⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe29⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe30⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Edbiniff.exeC:\Windows\system32\Edbiniff.exe31⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe33⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe34⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Fbbicl32.exeC:\Windows\system32\Fbbicl32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4376 -
C:\Windows\SysWOW64\Finnef32.exeC:\Windows\system32\Finnef32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3524 -
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe38⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe41⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe45⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe46⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe47⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ilfennic.exeC:\Windows\system32\Ilfennic.exe48⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe49⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe51⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe52⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Ipkdek32.exeC:\Windows\system32\Ipkdek32.exe53⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe55⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe56⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4312 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe58⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe59⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:464 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe63⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe64⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe66⤵PID:512
-
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe67⤵PID:2944
-
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe68⤵PID:764
-
C:\Windows\SysWOW64\Llcghg32.exeC:\Windows\system32\Llcghg32.exe69⤵
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe70⤵PID:64
-
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe71⤵
- Drops file in System32 directory
PID:3240 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Mlljnf32.exeC:\Windows\system32\Mlljnf32.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe74⤵PID:1448
-
C:\Windows\SysWOW64\Njedbjej.exeC:\Windows\system32\Njedbjej.exe75⤵
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe78⤵PID:1548
-
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe79⤵PID:3540
-
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe80⤵PID:4616
-
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe81⤵PID:2236
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe82⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe83⤵PID:5224
-
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe84⤵PID:5268
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5316 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe86⤵PID:5364
-
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe87⤵PID:5408
-
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe88⤵PID:5456
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe89⤵PID:5500
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe90⤵PID:5568
-
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe92⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe93⤵PID:5724
-
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe94⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5828 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe96⤵PID:5908
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe97⤵
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe99⤵PID:6060
-
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe100⤵PID:6120
-
C:\Windows\SysWOW64\Ekgqennl.exeC:\Windows\system32\Ekgqennl.exe101⤵PID:5212
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe102⤵PID:5284
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe103⤵PID:5416
-
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe104⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe105⤵PID:2900
-
C:\Windows\SysWOW64\Enopghee.exeC:\Windows\system32\Enopghee.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe107⤵PID:5644
-
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe108⤵PID:5812
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe109⤵PID:5940
-
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe111⤵PID:6100
-
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe112⤵PID:5192
-
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe113⤵
- Modifies registry class
PID:5360 -
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe114⤵PID:5520
-
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe115⤵PID:5620
-
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe116⤵PID:5780
-
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe117⤵PID:5944
-
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe118⤵PID:6056
-
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe119⤵PID:5260
-
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe120⤵PID:5596
-
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe121⤵PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-