Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 15:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe
-
Size
320KB
-
MD5
1415a53bf0dd95e1c01ae7050d4e9d40
-
SHA1
d6066e82f98693f4bfc6b9c7b3db21780a03ca41
-
SHA256
9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99
-
SHA512
3048cacf02cdeb6b2c24f63456957ab284b6118204052d8d3bff1421f647bd1e348f87e953496b0ef4436568055fc6f3feb55b656073aafbb35f85103534836f
-
SSDEEP
6144:h43YRpwA//R2///////////////9RRnRRA////////R7//////RIZwV/Ah1G/Acs:44pwT/Nv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doagjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aimogakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdndloi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpakn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofckhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqmlccdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclhpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aabkbono.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfohgqlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkgcobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modpib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgkei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioflcbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhphmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbnfleo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coegoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoencdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbcbkab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipihpkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogcihaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiofk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adepji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmojd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaceghcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijqcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmhcaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekngemhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeeabda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egegjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhanngbl.exe -
Executes dropped EXE 64 IoCs
pid Process 2184 Hfcnpn32.exe 4360 Hoobdp32.exe 2592 Hmpcbhji.exe 3864 Hblkjo32.exe 1020 Hlepcdoa.exe 1408 Hemdlj32.exe 856 Hoeieolb.exe 4872 Imgicgca.exe 2568 Ibcaknbi.exe 4372 Iinjhh32.exe 1060 Iojbpo32.exe 4856 Igajal32.exe 1272 Iipfmggc.exe 2260 Iefgbh32.exe 1456 Ioolkncg.exe 3244 Ieidhh32.exe 1700 Jiglnf32.exe 2892 Jiiicf32.exe 392 Jilfifme.exe 1884 Jcdjbk32.exe 1120 Jlolpq32.exe 3096 Klahfp32.exe 4992 Koodbl32.exe 964 Keimof32.exe 884 Kgiiiidd.exe 224 Klfaapbl.exe 1280 Kcpjnjii.exe 1596 Klhnfo32.exe 1076 Kjlopc32.exe 4920 Lljklo32.exe 1244 Lnjgfb32.exe 3548 Lokdnjkg.exe 3992 Lfeljd32.exe 5008 Lomqcjie.exe 1972 Ljceqb32.exe 3480 Lmaamn32.exe 4612 Ljeafb32.exe 804 Lflbkcll.exe 2976 Mqafhl32.exe 3436 Mmhgmmbf.exe 2044 Mogcihaj.exe 3144 Mfqlfb32.exe 464 Mcelpggq.exe 2268 Mfchlbfd.exe 3224 Mmmqhl32.exe 2708 Mokmdh32.exe 1988 Mfeeabda.exe 316 Mnmmboed.exe 4908 Mcifkf32.exe 1424 Nmbjcljl.exe 2684 Nggnadib.exe 2736 Nqpcjj32.exe 2972 Ngjkfd32.exe 4180 Njhgbp32.exe 3388 Npepkf32.exe 4092 Nfohgqlg.exe 3104 Nadleilm.exe 1056 Npgmpf32.exe 1072 Nmkmjjaa.exe 1632 Omnjojpo.exe 4312 Oplfkeob.exe 5028 Ompfej32.exe 60 Ocjoadei.exe 1468 Oanokhdb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mohidbkl.exe Mljmhflh.exe File created C:\Windows\SysWOW64\Lhnoigkk.dll Obqanjdb.exe File created C:\Windows\SysWOW64\Aldjigql.dll Cigkdmel.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Ibcaknbi.exe File created C:\Windows\SysWOW64\Pfoann32.exe Oabhfg32.exe File created C:\Windows\SysWOW64\Hnphoj32.exe Hhfpbpdo.exe File created C:\Windows\SysWOW64\Jocnlg32.exe Jldbpl32.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Pcpnhl32.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Lflbkcll.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Caageq32.exe File created C:\Windows\SysWOW64\Bfcklp32.dll Fofilp32.exe File created C:\Windows\SysWOW64\Defbaa32.dll Ljbnfleo.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Jadgnb32.exe File opened for modification C:\Windows\SysWOW64\Aimogakj.exe Abcgjg32.exe File created C:\Windows\SysWOW64\Cibain32.exe Bgdemb32.exe File opened for modification C:\Windows\SysWOW64\Halhfe32.exe Hnnljj32.exe File opened for modification C:\Windows\SysWOW64\Jldbpl32.exe Jifecp32.exe File created C:\Windows\SysWOW64\Naagioah.dll Nckkfp32.exe File created C:\Windows\SysWOW64\Bdcmkgmm.exe Bmidnm32.exe File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Lokdnjkg.exe File created C:\Windows\SysWOW64\Nkgdfb32.dll Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Egcaod32.exe Edeeci32.exe File opened for modification C:\Windows\SysWOW64\Fkfcqb32.exe Fgjhpcmo.exe File created C:\Windows\SysWOW64\Lancko32.exe Llqjbhdc.exe File opened for modification C:\Windows\SysWOW64\Mfkkqmiq.exe Lcmodajm.exe File opened for modification C:\Windows\SysWOW64\Nbphglbe.exe Nmcpoedn.exe File opened for modification C:\Windows\SysWOW64\Bagmdllg.exe Bipecnkd.exe File created C:\Windows\SysWOW64\Nadleilm.exe Nfohgqlg.exe File created C:\Windows\SysWOW64\Akkffkhk.exe Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Ipgkjlmg.exe Ieagmcmq.exe File opened for modification C:\Windows\SysWOW64\Jlikkkhn.exe Jikoopij.exe File opened for modification C:\Windows\SysWOW64\Omopjcjp.exe Ojqcnhkl.exe File opened for modification C:\Windows\SysWOW64\Qfmfefni.exe Qpbnhl32.exe File opened for modification C:\Windows\SysWOW64\Amkhmoap.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Ggmkff32.dll Jilfifme.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Npgmpf32.exe File created C:\Windows\SysWOW64\Ahfmjddg.dll Kpccmhdg.exe File opened for modification C:\Windows\SysWOW64\Mhanngbl.exe Mbgeqmjp.exe File created C:\Windows\SysWOW64\Pnplfj32.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Qckcba32.dll Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Pmhbqbae.exe Pjjfdfbb.exe File created C:\Windows\SysWOW64\Bgdemb32.exe Bdeiqgkj.exe File opened for modification C:\Windows\SysWOW64\Ipdndloi.exe Iacngdgj.exe File created C:\Windows\SysWOW64\Aanfno32.dll Ipkdek32.exe File created C:\Windows\SysWOW64\Lflbkcll.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Dicdcemd.dll Nqpcjj32.exe File created C:\Windows\SysWOW64\Pdjgha32.exe Palklf32.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Ljgmjm32.dll Oqoefand.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Iacngdgj.exe Inebjihf.exe File opened for modification C:\Windows\SysWOW64\Mjidgkog.exe Mfnhfm32.exe File created C:\Windows\SysWOW64\Bahdob32.exe Bknlbhhe.exe File created C:\Windows\SysWOW64\Dhphmj32.exe Cnjdpaki.exe File created C:\Windows\SysWOW64\Pqbala32.exe Oikjkc32.exe File created C:\Windows\SysWOW64\Ddfbgelh.exe Dahfkimd.exe File created C:\Windows\SysWOW64\Mpkcqhdh.dll Doccpcja.exe File opened for modification C:\Windows\SysWOW64\Fgjhpcmo.exe Fbmohmoh.exe File opened for modification C:\Windows\SysWOW64\Gihpkd32.exe Gaqhjggp.exe File created C:\Windows\SysWOW64\Jaonbc32.exe Joqafgni.exe File opened for modification C:\Windows\SysWOW64\Iojbpo32.exe Iinjhh32.exe File opened for modification C:\Windows\SysWOW64\Iefgbh32.exe Iipfmggc.exe File created C:\Windows\SysWOW64\Jnifpf32.dll Mcelpggq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10284 11160 WerFault.exe 523 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edqnimdf.dll" Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmfnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkphhgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqhjggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqc32.dll" Jlolpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeplijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll" Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcjq32.dll" Ajmladbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekimjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnljbeg.dll" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefgjq32.dll" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdinefi.dll" Ehlhih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkfbcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hecjke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfedh32.dll" Feqeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll" Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edbiniff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejqldci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll" Nijqcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcelpggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll" Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdggc32.dll" Hbgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll" Lebijnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll" Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foolmeif.dll" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqbcbkab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfpbpdo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2184 1232 9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe 88 PID 1232 wrote to memory of 2184 1232 9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe 88 PID 1232 wrote to memory of 2184 1232 9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe 88 PID 2184 wrote to memory of 4360 2184 Hfcnpn32.exe 89 PID 2184 wrote to memory of 4360 2184 Hfcnpn32.exe 89 PID 2184 wrote to memory of 4360 2184 Hfcnpn32.exe 89 PID 4360 wrote to memory of 2592 4360 Hoobdp32.exe 90 PID 4360 wrote to memory of 2592 4360 Hoobdp32.exe 90 PID 4360 wrote to memory of 2592 4360 Hoobdp32.exe 90 PID 2592 wrote to memory of 3864 2592 Hmpcbhji.exe 91 PID 2592 wrote to memory of 3864 2592 Hmpcbhji.exe 91 PID 2592 wrote to memory of 3864 2592 Hmpcbhji.exe 91 PID 3864 wrote to memory of 1020 3864 Hblkjo32.exe 92 PID 3864 wrote to memory of 1020 3864 Hblkjo32.exe 92 PID 3864 wrote to memory of 1020 3864 Hblkjo32.exe 92 PID 1020 wrote to memory of 1408 1020 Hlepcdoa.exe 93 PID 1020 wrote to memory of 1408 1020 Hlepcdoa.exe 93 PID 1020 wrote to memory of 1408 1020 Hlepcdoa.exe 93 PID 1408 wrote to memory of 856 1408 Hemdlj32.exe 94 PID 1408 wrote to memory of 856 1408 Hemdlj32.exe 94 PID 1408 wrote to memory of 856 1408 Hemdlj32.exe 94 PID 856 wrote to memory of 4872 856 Hoeieolb.exe 95 PID 856 wrote to memory of 4872 856 Hoeieolb.exe 95 PID 856 wrote to memory of 4872 856 Hoeieolb.exe 95 PID 4872 wrote to memory of 2568 4872 Imgicgca.exe 96 PID 4872 wrote to memory of 2568 4872 Imgicgca.exe 96 PID 4872 wrote to memory of 2568 4872 Imgicgca.exe 96 PID 2568 wrote to memory of 4372 2568 Ibcaknbi.exe 97 PID 2568 wrote to memory of 4372 2568 Ibcaknbi.exe 97 PID 2568 wrote to memory of 4372 2568 Ibcaknbi.exe 97 PID 4372 wrote to memory of 1060 4372 Iinjhh32.exe 98 PID 4372 wrote to memory of 1060 4372 Iinjhh32.exe 98 PID 4372 wrote to memory of 1060 4372 Iinjhh32.exe 98 PID 1060 wrote to memory of 4856 1060 Iojbpo32.exe 99 PID 1060 wrote to memory of 4856 1060 Iojbpo32.exe 99 PID 1060 wrote to memory of 4856 1060 Iojbpo32.exe 99 PID 4856 wrote to memory of 1272 4856 Igajal32.exe 100 PID 4856 wrote to memory of 1272 4856 Igajal32.exe 100 PID 4856 wrote to memory of 1272 4856 Igajal32.exe 100 PID 1272 wrote to memory of 2260 1272 Iipfmggc.exe 101 PID 1272 wrote to memory of 2260 1272 Iipfmggc.exe 101 PID 1272 wrote to memory of 2260 1272 Iipfmggc.exe 101 PID 2260 wrote to memory of 1456 2260 Iefgbh32.exe 102 PID 2260 wrote to memory of 1456 2260 Iefgbh32.exe 102 PID 2260 wrote to memory of 1456 2260 Iefgbh32.exe 102 PID 1456 wrote to memory of 3244 1456 Ioolkncg.exe 103 PID 1456 wrote to memory of 3244 1456 Ioolkncg.exe 103 PID 1456 wrote to memory of 3244 1456 Ioolkncg.exe 103 PID 3244 wrote to memory of 1700 3244 Ieidhh32.exe 104 PID 3244 wrote to memory of 1700 3244 Ieidhh32.exe 104 PID 3244 wrote to memory of 1700 3244 Ieidhh32.exe 104 PID 1700 wrote to memory of 2892 1700 Jiglnf32.exe 105 PID 1700 wrote to memory of 2892 1700 Jiglnf32.exe 105 PID 1700 wrote to memory of 2892 1700 Jiglnf32.exe 105 PID 2892 wrote to memory of 392 2892 Jiiicf32.exe 106 PID 2892 wrote to memory of 392 2892 Jiiicf32.exe 106 PID 2892 wrote to memory of 392 2892 Jiiicf32.exe 106 PID 392 wrote to memory of 1884 392 Jilfifme.exe 107 PID 392 wrote to memory of 1884 392 Jilfifme.exe 107 PID 392 wrote to memory of 1884 392 Jilfifme.exe 107 PID 1884 wrote to memory of 1120 1884 Jcdjbk32.exe 108 PID 1884 wrote to memory of 1120 1884 Jcdjbk32.exe 108 PID 1884 wrote to memory of 1120 1884 Jcdjbk32.exe 108 PID 1120 wrote to memory of 3096 1120 Jlolpq32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9eeed6f13a8ce79d935ccdcb60c54709fe76b698e50f5c07b62010edf19fee99_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe24⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe25⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe27⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Kcpjnjii.exeC:\Windows\system32\Kcpjnjii.exe28⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Klhnfo32.exeC:\Windows\system32\Klhnfo32.exe29⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe30⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Lljklo32.exeC:\Windows\system32\Lljklo32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Lokdnjkg.exeC:\Windows\system32\Lokdnjkg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe34⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe36⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Lflbkcll.exeC:\Windows\system32\Lflbkcll.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe40⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe41⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Mogcihaj.exeC:\Windows\system32\Mogcihaj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe43⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe45⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe46⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe47⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mfeeabda.exeC:\Windows\system32\Mfeeabda.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe49⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe50⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe51⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe52⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe53⤵PID:1592
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe56⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe57⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe59⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Oplfkeob.exeC:\Windows\system32\Oplfkeob.exe63⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe65⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe66⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ofkgcobj.exeC:\Windows\system32\Ofkgcobj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe68⤵PID:3968
-
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:3292 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe70⤵PID:4984
-
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe72⤵PID:3760
-
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe73⤵PID:4252
-
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe74⤵PID:4472
-
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe75⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe76⤵PID:3288
-
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe77⤵PID:232
-
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:212 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe79⤵PID:4960
-
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe80⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe81⤵
- Drops file in System32 directory
PID:5176 -
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe82⤵PID:5232
-
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe83⤵PID:5288
-
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe84⤵PID:5352
-
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe85⤵PID:5416
-
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe86⤵PID:5464
-
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe87⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe88⤵PID:5552
-
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe89⤵PID:5604
-
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe90⤵PID:5656
-
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe91⤵PID:5696
-
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe92⤵PID:5744
-
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5788 -
C:\Windows\SysWOW64\Aggpfkjj.exeC:\Windows\system32\Aggpfkjj.exe94⤵PID:5832
-
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe95⤵PID:5876
-
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe96⤵PID:5916
-
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe97⤵PID:5964
-
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe98⤵PID:6008
-
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe99⤵PID:6048
-
C:\Windows\SysWOW64\Bkibgh32.exeC:\Windows\system32\Bkibgh32.exe100⤵PID:6092
-
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe101⤵PID:6132
-
C:\Windows\SysWOW64\Bgpcliao.exeC:\Windows\system32\Bgpcliao.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Baegibae.exeC:\Windows\system32\Baegibae.exe103⤵PID:5268
-
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe105⤵PID:5456
-
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe106⤵
- Drops file in System32 directory
PID:5476 -
C:\Windows\SysWOW64\Bahdob32.exeC:\Windows\system32\Bahdob32.exe107⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe108⤵PID:5680
-
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe110⤵PID:5812
-
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe111⤵PID:5860
-
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe112⤵
- Modifies registry class
PID:5956 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe113⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe114⤵PID:6076
-
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe115⤵PID:5160
-
C:\Windows\SysWOW64\Caageq32.exeC:\Windows\system32\Caageq32.exe116⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe117⤵PID:5452
-
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe119⤵PID:5676
-
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe120⤵
- Modifies registry class
PID:5784 -
C:\Windows\SysWOW64\Cnjdpaki.exeC:\Windows\system32\Cnjdpaki.exe121⤵
- Drops file in System32 directory
PID:5948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-