Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 13:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe
-
Size
448KB
-
MD5
9b1f4d72dd698858175ae8c3dda10f30
-
SHA1
15fc3d044e1f028c693d657d52a120decd27d807
-
SHA256
ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2
-
SHA512
c0e5df467c6830370c92fafb7241db7c86247048d9785aba462ca3c6071dae70f94149d78933811ea8e158d8f67b22fec39d3d20d3830a4c7fa76089252f176d
-
SSDEEP
6144:+1WiA6s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAH9SKzS:+5705kWM/9J6gqGBf/sAHZHbgdhgi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcibca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejobk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleqfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhhbngi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehienn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjakgpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdhgaid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkhog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medglemj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolekd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnknim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggafgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhppclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeadjai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlkdhnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidgdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeodqocd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblhcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podkmgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmimdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcodfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geipnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomldfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johggfha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medglemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdadpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmghdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngipjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajbaika.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehjfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iameid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbmjcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnlak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdfoala.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nieoal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpjoloh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfmkjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailabddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioffhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glchjedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhbhapha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlmegd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1052 Hmbphg32.exe 5300 Iliinc32.exe 1924 Iojbpo32.exe 5552 Iibccgep.exe 4260 Ipoheakj.exe 3288 Jleijb32.exe 5612 Jgmjmjnb.exe 5452 Johnamkm.exe 1644 Jjpode32.exe 5336 Kjeiodek.exe 5324 Knenkbio.exe 2212 Kngkqbgl.exe 3016 Ojdgnn32.exe 5920 Ocaebc32.exe 5916 Pmlfqh32.exe 5980 Pdhkcb32.exe 2364 Phfcipoo.exe 2188 Qhhpop32.exe 2704 Qfmmplad.exe 3284 Aaenbd32.exe 4584 Amlogfel.exe 4256 Aajhndkb.exe 5296 Apodoq32.exe 5188 Bhkfkmmg.exe 768 Bphgeo32.exe 1580 Bdfpkm32.exe 224 Chdialdl.exe 556 Cammjakm.exe 2992 Caojpaij.exe 2052 Cnfkdb32.exe 3624 Ckjknfnh.exe 4768 Cdbpgl32.exe 5088 Dafppp32.exe 2472 Dpkmal32.exe 3604 Dqnjgl32.exe 3480 Doojec32.exe 4788 Ddkbmj32.exe 1652 Dqbcbkab.exe 5192 Doccpcja.exe 5360 Eqdpgk32.exe 1416 Edeeci32.exe 3728 Ekonpckp.exe 5204 Ehbnigjj.exe 748 Eomffaag.exe 3380 Fooclapd.exe 5080 Fdlkdhnk.exe 4372 Fkfcqb32.exe 4072 Fqbliicp.exe 3040 Foclgq32.exe 4224 Fgoakc32.exe 532 Fniihmpf.exe 5308 Fkmjaa32.exe 3548 Hecjke32.exe 5608 Hpkknmgd.exe 5424 Haaaaeim.exe 5776 Iogopi32.exe 5340 Ieccbbkn.exe 5376 Ilphdlqh.exe 560 Joqafgni.exe 4544 Jihbip32.exe 5892 Jikoopij.exe 5828 Johggfha.exe 5508 Jahqiaeb.exe 5564 Kibeoo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okeklcen.exe Ohgopgfj.exe File opened for modification C:\Windows\SysWOW64\Ngklppei.exe Npadcfnl.exe File created C:\Windows\SysWOW64\Dkpqlc32.dll Fkfcqb32.exe File opened for modification C:\Windows\SysWOW64\Jikoopij.exe Jihbip32.exe File created C:\Windows\SysWOW64\Aeodmbol.dll Pmphaaln.exe File created C:\Windows\SysWOW64\Abggif32.dll Llngbabj.exe File created C:\Windows\SysWOW64\Famnbgil.dll Almanf32.exe File created C:\Windows\SysWOW64\Ehofco32.dll Mgbpdgap.exe File opened for modification C:\Windows\SysWOW64\Oiehhjjp.exe Odhppclh.exe File opened for modification C:\Windows\SysWOW64\Bdphnmjk.exe Bjkcqdje.exe File created C:\Windows\SysWOW64\Haaaaeim.exe Hpkknmgd.exe File created C:\Windows\SysWOW64\Djbbhafj.exe Deejpjgc.exe File created C:\Windows\SysWOW64\Ejlnfjbd.exe Edoencdm.exe File opened for modification C:\Windows\SysWOW64\Ekngemhd.exe Eafbmgad.exe File created C:\Windows\SysWOW64\Bckkpd32.dll Jgbhdkml.exe File created C:\Windows\SysWOW64\Bdphnmjk.exe Bjkcqdje.exe File created C:\Windows\SysWOW64\Epffbd32.exe Ejlnfjbd.exe File opened for modification C:\Windows\SysWOW64\Bpomem32.exe Biedhclh.exe File created C:\Windows\SysWOW64\Qhjojdql.dll Igieoleg.exe File created C:\Windows\SysWOW64\Dpbldapg.dll Kidmcqeg.exe File created C:\Windows\SysWOW64\Ejhdfi32.dll Iliinc32.exe File created C:\Windows\SysWOW64\Accheolp.dll Fgncff32.exe File opened for modification C:\Windows\SysWOW64\Iglhob32.exe Iqbpahpc.exe File created C:\Windows\SysWOW64\Kjgegjko.dll Mjkiephp.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Ckdkhq32.exe File created C:\Windows\SysWOW64\Dinael32.exe Ccdihbgg.exe File created C:\Windows\SysWOW64\Nmedmj32.exe Ngklppei.exe File created C:\Windows\SysWOW64\Mogdhape.dll Lbnggpfj.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Fkmjaa32.exe File created C:\Windows\SysWOW64\Cfenfhnj.dll Lfmghdpl.exe File created C:\Windows\SysWOW64\Mpqklh32.exe Migcpneb.exe File opened for modification C:\Windows\SysWOW64\Lpdefc32.exe Ljglnmdi.exe File created C:\Windows\SysWOW64\Bfmolc32.exe Biiobo32.exe File created C:\Windows\SysWOW64\Ilpgfc32.dll Biiobo32.exe File opened for modification C:\Windows\SysWOW64\Eleimp32.exe Dekapfke.exe File created C:\Windows\SysWOW64\Lbjdeo32.dll Hnehdo32.exe File opened for modification C:\Windows\SysWOW64\Bgfhnpde.exe Afdkfh32.exe File created C:\Windows\SysWOW64\Glnnofhi.exe Ggafgo32.exe File opened for modification C:\Windows\SysWOW64\Amlogfel.exe Aaenbd32.exe File created C:\Windows\SysWOW64\Kdfepi32.dll Ddcebe32.exe File created C:\Windows\SysWOW64\Fphmhm32.dll Gnlenp32.exe File opened for modification C:\Windows\SysWOW64\Mapppn32.exe Lfiokmkc.exe File opened for modification C:\Windows\SysWOW64\Mfenglqf.exe Mhanngbl.exe File opened for modification C:\Windows\SysWOW64\Dknnoofg.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Kaonnmka.dll Flfbcndo.exe File created C:\Windows\SysWOW64\Aphiikma.dll Golcak32.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Cammjakm.exe File opened for modification C:\Windows\SysWOW64\Obgohklm.exe Nmjfodne.exe File created C:\Windows\SysWOW64\Gmkock32.dll Gcnnllcg.exe File opened for modification C:\Windows\SysWOW64\Ledoegkm.exe Logicn32.exe File created C:\Windows\SysWOW64\Doqbifpl.exe Dlbfmjqi.exe File created C:\Windows\SysWOW64\Dpenjqca.dll Jflnafno.exe File opened for modification C:\Windows\SysWOW64\Fajgfiag.exe Flmonbbp.exe File created C:\Windows\SysWOW64\Pmphaaln.exe Pcgdhkem.exe File created C:\Windows\SysWOW64\Kblpcndd.exe Kkbkmqed.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Ledoegkm.exe File created C:\Windows\SysWOW64\Pehjfm32.exe Pcfmneaa.exe File created C:\Windows\SysWOW64\Aecialmb.exe Acbmjcgd.exe File opened for modification C:\Windows\SysWOW64\Dehnpp32.exe Donecfao.exe File created C:\Windows\SysWOW64\Nijfhn32.dll Fajgfiag.exe File created C:\Windows\SysWOW64\Pdgckg32.exe Pojjcp32.exe File opened for modification C:\Windows\SysWOW64\Goadfa32.exe Glchjedc.exe File created C:\Windows\SysWOW64\Iheaqolo.exe Hlnqln32.exe File created C:\Windows\SysWOW64\Ckjknfnh.exe Cnfkdb32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 8224 12420 WerFault.exe 788 12704 12420 WerFault.exe 788 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll" Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apggckbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qppkhfec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfomiaim.dll" Bqkigp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbappaql.dll" Enbhdojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnlnaiq.dll" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll" Logicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biedhclh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adpogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nciopppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfdfoala.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeffgkkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeamcmmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqombb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfefdpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iabodcnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll" Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmlla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hccomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll" Obgohklm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankgpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpomem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfjcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cleqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpklcffg.dll" Kccbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjegen32.dll" Jgekdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbhdojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgihop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcnnllcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdoadlje.dll" Falcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhildae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdopjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll" Cemeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlngcc32.dll" Kcbkpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmpcc32.dll" Cbnbhfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmonbbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgeihiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpqklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll" Nlcidopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmkpp32.dll" Mkicjgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefaplcm.dll" Fcodfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgoakc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhciojn.dll" Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfggbope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoiaikp.dll" Ilphdlqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dijppjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlemcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngklppei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 1052 2620 ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe 91 PID 2620 wrote to memory of 1052 2620 ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe 91 PID 2620 wrote to memory of 1052 2620 ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe 91 PID 1052 wrote to memory of 5300 1052 Hmbphg32.exe 92 PID 1052 wrote to memory of 5300 1052 Hmbphg32.exe 92 PID 1052 wrote to memory of 5300 1052 Hmbphg32.exe 92 PID 5300 wrote to memory of 1924 5300 Iliinc32.exe 93 PID 5300 wrote to memory of 1924 5300 Iliinc32.exe 93 PID 5300 wrote to memory of 1924 5300 Iliinc32.exe 93 PID 1924 wrote to memory of 5552 1924 Iojbpo32.exe 94 PID 1924 wrote to memory of 5552 1924 Iojbpo32.exe 94 PID 1924 wrote to memory of 5552 1924 Iojbpo32.exe 94 PID 5552 wrote to memory of 4260 5552 Iibccgep.exe 95 PID 5552 wrote to memory of 4260 5552 Iibccgep.exe 95 PID 5552 wrote to memory of 4260 5552 Iibccgep.exe 95 PID 4260 wrote to memory of 3288 4260 Ipoheakj.exe 96 PID 4260 wrote to memory of 3288 4260 Ipoheakj.exe 96 PID 4260 wrote to memory of 3288 4260 Ipoheakj.exe 96 PID 3288 wrote to memory of 5612 3288 Jleijb32.exe 97 PID 3288 wrote to memory of 5612 3288 Jleijb32.exe 97 PID 3288 wrote to memory of 5612 3288 Jleijb32.exe 97 PID 5612 wrote to memory of 5452 5612 Jgmjmjnb.exe 98 PID 5612 wrote to memory of 5452 5612 Jgmjmjnb.exe 98 PID 5612 wrote to memory of 5452 5612 Jgmjmjnb.exe 98 PID 5452 wrote to memory of 1644 5452 Johnamkm.exe 99 PID 5452 wrote to memory of 1644 5452 Johnamkm.exe 99 PID 5452 wrote to memory of 1644 5452 Johnamkm.exe 99 PID 1644 wrote to memory of 5336 1644 Jjpode32.exe 100 PID 1644 wrote to memory of 5336 1644 Jjpode32.exe 100 PID 1644 wrote to memory of 5336 1644 Jjpode32.exe 100 PID 5336 wrote to memory of 5324 5336 Kjeiodek.exe 101 PID 5336 wrote to memory of 5324 5336 Kjeiodek.exe 101 PID 5336 wrote to memory of 5324 5336 Kjeiodek.exe 101 PID 5324 wrote to memory of 2212 5324 Knenkbio.exe 102 PID 5324 wrote to memory of 2212 5324 Knenkbio.exe 102 PID 5324 wrote to memory of 2212 5324 Knenkbio.exe 102 PID 2212 wrote to memory of 3016 2212 Kngkqbgl.exe 103 PID 2212 wrote to memory of 3016 2212 Kngkqbgl.exe 103 PID 2212 wrote to memory of 3016 2212 Kngkqbgl.exe 103 PID 3016 wrote to memory of 5920 3016 Ojdgnn32.exe 104 PID 3016 wrote to memory of 5920 3016 Ojdgnn32.exe 104 PID 3016 wrote to memory of 5920 3016 Ojdgnn32.exe 104 PID 5920 wrote to memory of 5916 5920 Ocaebc32.exe 105 PID 5920 wrote to memory of 5916 5920 Ocaebc32.exe 105 PID 5920 wrote to memory of 5916 5920 Ocaebc32.exe 105 PID 5916 wrote to memory of 5980 5916 Pmlfqh32.exe 106 PID 5916 wrote to memory of 5980 5916 Pmlfqh32.exe 106 PID 5916 wrote to memory of 5980 5916 Pmlfqh32.exe 106 PID 5980 wrote to memory of 2364 5980 Pdhkcb32.exe 107 PID 5980 wrote to memory of 2364 5980 Pdhkcb32.exe 107 PID 5980 wrote to memory of 2364 5980 Pdhkcb32.exe 107 PID 2364 wrote to memory of 2188 2364 Phfcipoo.exe 108 PID 2364 wrote to memory of 2188 2364 Phfcipoo.exe 108 PID 2364 wrote to memory of 2188 2364 Phfcipoo.exe 108 PID 2188 wrote to memory of 2704 2188 Qhhpop32.exe 109 PID 2188 wrote to memory of 2704 2188 Qhhpop32.exe 109 PID 2188 wrote to memory of 2704 2188 Qhhpop32.exe 109 PID 2704 wrote to memory of 3284 2704 Qfmmplad.exe 110 PID 2704 wrote to memory of 3284 2704 Qfmmplad.exe 110 PID 2704 wrote to memory of 3284 2704 Qfmmplad.exe 110 PID 3284 wrote to memory of 4584 3284 Aaenbd32.exe 111 PID 3284 wrote to memory of 4584 3284 Aaenbd32.exe 111 PID 3284 wrote to memory of 4584 3284 Aaenbd32.exe 111 PID 4584 wrote to memory of 4256 4584 Amlogfel.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ae2b58ad9ee66dac2c2f5943fec372872f80920d50058e35562948e358b895e2_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5300 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5552 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Jleijb32.exeC:\Windows\system32\Jleijb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5612 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5452 -
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5336 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5324 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5920 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5916 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5980 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Amlogfel.exeC:\Windows\system32\Amlogfel.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Aajhndkb.exeC:\Windows\system32\Aajhndkb.exe23⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe24⤵
- Executes dropped EXE
PID:5296 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe25⤵
- Executes dropped EXE
PID:5188 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe26⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe27⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe28⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe34⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe35⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe36⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe37⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Dqbcbkab.exeC:\Windows\system32\Dqbcbkab.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe40⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe41⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe42⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe43⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe44⤵
- Executes dropped EXE
PID:5204 -
C:\Windows\SysWOW64\Eomffaag.exeC:\Windows\system32\Eomffaag.exe45⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe46⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4372 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe49⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe52⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Hecjke32.exeC:\Windows\system32\Hecjke32.exe54⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Haaaaeim.exeC:\Windows\system32\Haaaaeim.exe56⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\Iogopi32.exeC:\Windows\system32\Iogopi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5776 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe58⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Joqafgni.exeC:\Windows\system32\Joqafgni.exe60⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe62⤵
- Executes dropped EXE
PID:5892 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5828 -
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe64⤵
- Executes dropped EXE
PID:5508 -
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe65⤵
- Executes dropped EXE
PID:5564 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe66⤵
- Modifies registry class
PID:4668 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe67⤵PID:5268
-
C:\Windows\SysWOW64\Khlklj32.exeC:\Windows\system32\Khlklj32.exe68⤵PID:1056
-
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe69⤵PID:5800
-
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe70⤵PID:5540
-
C:\Windows\SysWOW64\Lchfib32.exeC:\Windows\system32\Lchfib32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3752 -
C:\Windows\SysWOW64\Lfiokmkc.exeC:\Windows\system32\Lfiokmkc.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Mapppn32.exeC:\Windows\system32\Mapppn32.exe73⤵PID:3388
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe74⤵PID:6032
-
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe75⤵PID:4448
-
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe76⤵PID:3976
-
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe77⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Mfenglqf.exeC:\Windows\system32\Mfenglqf.exe78⤵PID:5128
-
C:\Windows\SysWOW64\Nciopppp.exeC:\Windows\system32\Nciopppp.exe79⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe80⤵PID:2088
-
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe81⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe82⤵PID:872
-
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe83⤵PID:4088
-
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe84⤵PID:864
-
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe85⤵
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe86⤵
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe87⤵PID:5312
-
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe88⤵PID:5152
-
C:\Windows\SysWOW64\Oiccje32.exeC:\Windows\system32\Oiccje32.exe89⤵PID:1964
-
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe91⤵PID:4676
-
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe92⤵PID:1484
-
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe93⤵PID:5912
-
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6096 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe95⤵PID:1004
-
C:\Windows\SysWOW64\Pimfpc32.exeC:\Windows\system32\Pimfpc32.exe96⤵PID:4812
-
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe97⤵PID:5788
-
C:\Windows\SysWOW64\Ppikbm32.exeC:\Windows\system32\Ppikbm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe99⤵
- Modifies registry class
PID:3968 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe100⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe101⤵
- Drops file in System32 directory
PID:4248 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe102⤵PID:2204
-
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe104⤵PID:4368
-
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe105⤵PID:5084
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe106⤵PID:5048
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe107⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe108⤵PID:5940
-
C:\Windows\SysWOW64\Apggckbf.exeC:\Windows\system32\Apggckbf.exe109⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe110⤵PID:5764
-
C:\Windows\SysWOW64\Afcmfe32.exeC:\Windows\system32\Afcmfe32.exe111⤵PID:216
-
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe112⤵PID:2328
-
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe113⤵PID:4144
-
C:\Windows\SysWOW64\Adjjeieh.exeC:\Windows\system32\Adjjeieh.exe114⤵PID:2624
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe115⤵PID:4848
-
C:\Windows\SysWOW64\Biiobo32.exeC:\Windows\system32\Biiobo32.exe116⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe117⤵PID:2316
-
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe118⤵
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Binhnomg.exeC:\Windows\system32\Binhnomg.exe119⤵PID:6112
-
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe120⤵PID:2716
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe121⤵
- Modifies registry class
PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-