Analysis
-
max time kernel
149s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 21:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe
-
Size
95KB
-
MD5
cdcede0b8377824afb1d934f85060760
-
SHA1
b80a91f2d46a2d599c37a1edeb52156f4904537d
-
SHA256
0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010
-
SHA512
2f6dc63af61f6d8b600f94e257a8a5a913ceede2a2cd67fe56769b981b499bbfbb0f5797727caa92d6c2537df40e2cd3b923c1e759264fe32d9226443c29c78b
-
SSDEEP
1536:zf3FUBFELVYfH6qidTbA6L5HRIf4VzIxPk3zVfWOM6bOLXi8PmCofGV:rFU7faJdTnlxjIxc3zVfWDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogndki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmoefm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlqhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edgkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfeekgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibadoc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqgqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjlmdmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjejdglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjambg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apmhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqhfhjhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfckjnjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oapljmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hppedpkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnodmijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpiobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddbbngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emjgcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdklebje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneboemj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eofgioah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgncff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnehdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldblon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiogkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjdbda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqopqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcjpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfdojfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnpja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpgkeodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iikmlnae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnehgmob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmhbplf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfpoqog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbbefafp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmifcjif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekmgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddlckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmajdig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfldap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpnohinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moobkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odjeepna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphlpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikcbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkbjchio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlmegd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egelgoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iickdgpb.exe -
Executes dropped EXE 64 IoCs
pid Process 4780 Hkaeih32.exe 3076 Klddlckd.exe 3436 Laffpi32.exe 324 Lcjldk32.exe 1216 Mepnaf32.exe 680 Mllccpfj.exe 2456 Nlcidopb.exe 4120 Okmpqjad.exe 2180 Ooangh32.exe 1720 Qfgfpp32.exe 2452 Abemep32.exe 3172 Bihhhi32.exe 5016 Cidgdg32.exe 4976 Cmgjee32.exe 3356 Dgfdojfm.exe 3524 Fgncff32.exe 4588 Gphddlfp.exe 3632 Hnehdo32.exe 1064 Hmmakk32.exe 2520 Iebfmfdg.exe 4384 Kdjhkp32.exe 4468 Lhadgmge.exe 4024 Ndfanlpi.exe 1448 Naaghoik.exe 1940 Pgoigcip.exe 4908 Pfpidk32.exe 644 Akfdcq32.exe 1232 Agobna32.exe 4504 Bngfli32.exe 2524 Cbihmg32.exe 1976 Clffalkf.exe 4016 Defajqko.exe 2120 Eldbbjof.exe 4928 Jfjakgpa.exe 2308 Lmiljn32.exe 3120 Mjdbda32.exe 3408 Mmdlflki.exe 968 Nfdfoala.exe 1432 Opfnne32.exe 1360 Okpkgm32.exe 3668 Pdklebje.exe 2888 Phmnfp32.exe 564 Pnjgog32.exe 2548 Qkqdnkge.exe 3088 Akjgdjoj.exe 776 Bqpbboeg.exe 4936 Bbpolb32.exe 1812 Cjfclcpg.exe 4648 Decmjjie.exe 4220 Dlmegd32.exe 3768 Ebpqjmpd.exe 1808 Ejnbdp32.exe 4944 Fhbbmc32.exe 1860 Foqdem32.exe 2392 Facjlhil.exe 524 Gkqhpmkg.exe 1460 Hhiaepfl.exe 2228 Hkaqgjme.exe 2704 Ijigfaol.exe 1608 Jlafhkfe.exe 4724 Jjefao32.exe 3592 Kkkldg32.exe 972 Mldhacpj.exe 4436 Njahki32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gphddlfp.exe Fgncff32.exe File opened for modification C:\Windows\SysWOW64\Enigjh32.exe Egelgoah.exe File created C:\Windows\SysWOW64\Bpibai32.dll Cbnpja32.exe File created C:\Windows\SysWOW64\Jleicg32.exe Jidpblik.exe File opened for modification C:\Windows\SysWOW64\Ogndki32.exe Nnfpbcbf.exe File created C:\Windows\SysWOW64\Bpodhf32.exe Agfpoqog.exe File created C:\Windows\SysWOW64\Eoepohml.exe Dhdaao32.exe File opened for modification C:\Windows\SysWOW64\Mjidpa32.exe Mhjhfnma.exe File created C:\Windows\SysWOW64\Qdmdjkpo.dll Fgncff32.exe File created C:\Windows\SysWOW64\Dcegdd32.dll Akccje32.exe File opened for modification C:\Windows\SysWOW64\Lopmbomp.exe Lnnakg32.exe File created C:\Windows\SysWOW64\Fbbjeame.dll Cpbgnlfo.exe File created C:\Windows\SysWOW64\Ibojgikg.exe Ipnaen32.exe File created C:\Windows\SysWOW64\Gnhmbo32.dll Lmkfah32.exe File created C:\Windows\SysWOW64\Hnfafpfd.exe Hbhjqp32.exe File created C:\Windows\SysWOW64\Lfgnkgbf.exe Lpneom32.exe File created C:\Windows\SysWOW64\Qaofphbd.exe Pcepdl32.exe File created C:\Windows\SysWOW64\Oapljmgm.exe Ojfcmc32.exe File opened for modification C:\Windows\SysWOW64\Bqpbboeg.exe Akjgdjoj.exe File created C:\Windows\SysWOW64\Meeefc32.dll Gdqgfbop.exe File created C:\Windows\SysWOW64\Kbceoped.exe Kfjhdobb.exe File created C:\Windows\SysWOW64\Jfnnap32.dll Ihpgda32.exe File opened for modification C:\Windows\SysWOW64\Glbakchp.exe Gffhbljh.exe File created C:\Windows\SysWOW64\Abkkheak.dll Lopmbomp.exe File created C:\Windows\SysWOW64\Fglalp32.dll Bddcocff.exe File opened for modification C:\Windows\SysWOW64\Caagofme.exe Cocjbkna.exe File created C:\Windows\SysWOW64\Dahmoefm.exe Dnjdigpf.exe File created C:\Windows\SysWOW64\Dgeegled.exe Dahmoefm.exe File opened for modification C:\Windows\SysWOW64\Fjcjpb32.exe Ejhkdc32.exe File created C:\Windows\SysWOW64\Mqnbmp32.dll Dcdnce32.exe File opened for modification C:\Windows\SysWOW64\Gdaomobj.exe Gbabblkg.exe File created C:\Windows\SysWOW64\Cgofoamj.dll Odjeepna.exe File created C:\Windows\SysWOW64\Gdlgjg32.dll Iiipfnch.exe File opened for modification C:\Windows\SysWOW64\Chibfa32.exe Cdkipb32.exe File created C:\Windows\SysWOW64\Lllaqn32.exe Lpeplmha.exe File created C:\Windows\SysWOW64\Elojej32.exe Cipebqij.exe File created C:\Windows\SysWOW64\Ganikk32.dll Ddbbngjb.exe File created C:\Windows\SysWOW64\Agglld32.exe Aancojgn.exe File created C:\Windows\SysWOW64\Ihpgda32.exe Iacbbh32.exe File opened for modification C:\Windows\SysWOW64\Fbkblb32.exe Eojijg32.exe File created C:\Windows\SysWOW64\Nagojbeb.dll Jbbfnlpk.exe File created C:\Windows\SysWOW64\Mbqkfhfh.exe Lihfmb32.exe File created C:\Windows\SysWOW64\Connnnid.dll Iaekfjje.exe File created C:\Windows\SysWOW64\Hkaqgjme.exe Hhiaepfl.exe File opened for modification C:\Windows\SysWOW64\Djoohk32.exe Cdfgdf32.exe File opened for modification C:\Windows\SysWOW64\Aedfdjdl.exe Ajoagadf.exe File created C:\Windows\SysWOW64\Bmaejnbe.dll Miomnaip.exe File opened for modification C:\Windows\SysWOW64\Fpjcpbdn.exe Fmikoggm.exe File created C:\Windows\SysWOW64\Iffadlme.dll Hblkddmn.exe File created C:\Windows\SysWOW64\Okkiocmc.dll Lnnakg32.exe File opened for modification C:\Windows\SysWOW64\Dnjdigpf.exe Cdpckbli.exe File opened for modification C:\Windows\SysWOW64\Dgfdojfm.exe Cmgjee32.exe File created C:\Windows\SysWOW64\Jfaenqjm.exe Jlkaahjg.exe File created C:\Windows\SysWOW64\Nneboemj.exe Mebkbi32.exe File opened for modification C:\Windows\SysWOW64\Iickdgpb.exe Ihlechfj.exe File opened for modification C:\Windows\SysWOW64\Oookbega.exe Oeffip32.exe File created C:\Windows\SysWOW64\Gbabblkg.exe Glbakchp.exe File created C:\Windows\SysWOW64\Kaadhg32.dll Palbpb32.exe File created C:\Windows\SysWOW64\Bdamofii.dll Pdenghpi.exe File opened for modification C:\Windows\SysWOW64\Kpgdjo32.exe Koggqlmo.exe File created C:\Windows\SysWOW64\Mjdmlonn.dll Bihhhi32.exe File created C:\Windows\SysWOW64\Fchjfl32.dll Clffalkf.exe File created C:\Windows\SysWOW64\Aoifoa32.exe Qofjjb32.exe File opened for modification C:\Windows\SysWOW64\Bhqmdoef.exe Bbgehd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdlcbjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjeblqjn.dll" Amfqikko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhafak32.dll" Iliihipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almblpfa.dll" Lqikfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjljnoam.dll" Mkeeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhek32.dll" Gpimflqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejcm32.dll" Cipebqij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keakqeal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphigedp.dll" Dlmegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgahnjpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aabafkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akjgdjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pppoeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdeqaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqphkjmi.dll" Jfaenqjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agglld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnehdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Decmjjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafphi32.dll" Hfnpacjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkbkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkiocmc.dll" Lnnakg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cipebqij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbqkfhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajeami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkmck32.dll" Fhbbmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfap32.dll" Fmikoggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegboa32.dll" Glbakchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmfbjni.dll" Bdmpljlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colqno32.dll" Qhlkbaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgilfl32.dll" Jidpblik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagqiofj.dll" Gpodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpkmlpo.dll" Boabkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaookkg.dll" Lcfphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eldbbjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmloamf.dll" Hpgkeodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ageofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpfonnab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbchkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okeinn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajoagadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccqdo32.dll" Mbchkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghgcbpfq.dll" Hckeikcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccldb32.dll" Hbhjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpiejkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdaomobj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmobdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peahpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfcebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aabafkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgean32.dll" Koggqlmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhiaepfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mebkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjambg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgnkgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaiiffjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njpjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll" Mllccpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faakickc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnfafpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjkmhblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoihadd.dll" Cnodmijd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 4780 2992 0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe 90 PID 2992 wrote to memory of 4780 2992 0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe 90 PID 2992 wrote to memory of 4780 2992 0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe 90 PID 4780 wrote to memory of 3076 4780 Hkaeih32.exe 91 PID 4780 wrote to memory of 3076 4780 Hkaeih32.exe 91 PID 4780 wrote to memory of 3076 4780 Hkaeih32.exe 91 PID 3076 wrote to memory of 3436 3076 Klddlckd.exe 92 PID 3076 wrote to memory of 3436 3076 Klddlckd.exe 92 PID 3076 wrote to memory of 3436 3076 Klddlckd.exe 92 PID 3436 wrote to memory of 324 3436 Laffpi32.exe 93 PID 3436 wrote to memory of 324 3436 Laffpi32.exe 93 PID 3436 wrote to memory of 324 3436 Laffpi32.exe 93 PID 324 wrote to memory of 1216 324 Lcjldk32.exe 94 PID 324 wrote to memory of 1216 324 Lcjldk32.exe 94 PID 324 wrote to memory of 1216 324 Lcjldk32.exe 94 PID 1216 wrote to memory of 680 1216 Mepnaf32.exe 95 PID 1216 wrote to memory of 680 1216 Mepnaf32.exe 95 PID 1216 wrote to memory of 680 1216 Mepnaf32.exe 95 PID 680 wrote to memory of 2456 680 Mllccpfj.exe 96 PID 680 wrote to memory of 2456 680 Mllccpfj.exe 96 PID 680 wrote to memory of 2456 680 Mllccpfj.exe 96 PID 2456 wrote to memory of 4120 2456 Nlcidopb.exe 97 PID 2456 wrote to memory of 4120 2456 Nlcidopb.exe 97 PID 2456 wrote to memory of 4120 2456 Nlcidopb.exe 97 PID 4120 wrote to memory of 2180 4120 Okmpqjad.exe 98 PID 4120 wrote to memory of 2180 4120 Okmpqjad.exe 98 PID 4120 wrote to memory of 2180 4120 Okmpqjad.exe 98 PID 2180 wrote to memory of 1720 2180 Ooangh32.exe 99 PID 2180 wrote to memory of 1720 2180 Ooangh32.exe 99 PID 2180 wrote to memory of 1720 2180 Ooangh32.exe 99 PID 1720 wrote to memory of 2452 1720 Qfgfpp32.exe 100 PID 1720 wrote to memory of 2452 1720 Qfgfpp32.exe 100 PID 1720 wrote to memory of 2452 1720 Qfgfpp32.exe 100 PID 2452 wrote to memory of 3172 2452 Abemep32.exe 102 PID 2452 wrote to memory of 3172 2452 Abemep32.exe 102 PID 2452 wrote to memory of 3172 2452 Abemep32.exe 102 PID 3172 wrote to memory of 5016 3172 Bihhhi32.exe 104 PID 3172 wrote to memory of 5016 3172 Bihhhi32.exe 104 PID 3172 wrote to memory of 5016 3172 Bihhhi32.exe 104 PID 5016 wrote to memory of 4976 5016 Cidgdg32.exe 105 PID 5016 wrote to memory of 4976 5016 Cidgdg32.exe 105 PID 5016 wrote to memory of 4976 5016 Cidgdg32.exe 105 PID 4976 wrote to memory of 3356 4976 Cmgjee32.exe 106 PID 4976 wrote to memory of 3356 4976 Cmgjee32.exe 106 PID 4976 wrote to memory of 3356 4976 Cmgjee32.exe 106 PID 3356 wrote to memory of 3524 3356 Dgfdojfm.exe 107 PID 3356 wrote to memory of 3524 3356 Dgfdojfm.exe 107 PID 3356 wrote to memory of 3524 3356 Dgfdojfm.exe 107 PID 3524 wrote to memory of 4588 3524 Fgncff32.exe 108 PID 3524 wrote to memory of 4588 3524 Fgncff32.exe 108 PID 3524 wrote to memory of 4588 3524 Fgncff32.exe 108 PID 4588 wrote to memory of 3632 4588 Gphddlfp.exe 109 PID 4588 wrote to memory of 3632 4588 Gphddlfp.exe 109 PID 4588 wrote to memory of 3632 4588 Gphddlfp.exe 109 PID 3632 wrote to memory of 1064 3632 Hnehdo32.exe 110 PID 3632 wrote to memory of 1064 3632 Hnehdo32.exe 110 PID 3632 wrote to memory of 1064 3632 Hnehdo32.exe 110 PID 1064 wrote to memory of 2520 1064 Hmmakk32.exe 111 PID 1064 wrote to memory of 2520 1064 Hmmakk32.exe 111 PID 1064 wrote to memory of 2520 1064 Hmmakk32.exe 111 PID 2520 wrote to memory of 4384 2520 Iebfmfdg.exe 112 PID 2520 wrote to memory of 4384 2520 Iebfmfdg.exe 112 PID 2520 wrote to memory of 4384 2520 Iebfmfdg.exe 112 PID 4384 wrote to memory of 4468 4384 Kdjhkp32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0bc0ddb68212734e24eb379adb373afdd5ee4813a96965268995550924dc0010_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Mepnaf32.exeC:\Windows\system32\Mepnaf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Qfgfpp32.exeC:\Windows\system32\Qfgfpp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Hnehdo32.exeC:\Windows\system32\Hnehdo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Iebfmfdg.exeC:\Windows\system32\Iebfmfdg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe23⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe24⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe25⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Pgoigcip.exeC:\Windows\system32\Pgoigcip.exe26⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pfpidk32.exeC:\Windows\system32\Pfpidk32.exe27⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Akfdcq32.exeC:\Windows\system32\Akfdcq32.exe28⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Agobna32.exeC:\Windows\system32\Agobna32.exe29⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe30⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe31⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe33⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Jfjakgpa.exeC:\Windows\system32\Jfjakgpa.exe35⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe36⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Mjdbda32.exeC:\Windows\system32\Mjdbda32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Mmdlflki.exeC:\Windows\system32\Mmdlflki.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Nfdfoala.exeC:\Windows\system32\Nfdfoala.exe39⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe40⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Phmnfp32.exeC:\Windows\system32\Phmnfp32.exe43⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe44⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe45⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe47⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe48⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe49⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe52⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe53⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fhbbmc32.exeC:\Windows\system32\Fhbbmc32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4944 -
C:\Windows\SysWOW64\Foqdem32.exeC:\Windows\system32\Foqdem32.exe55⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe56⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe57⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Hhiaepfl.exeC:\Windows\system32\Hhiaepfl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe59⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe60⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Jlafhkfe.exeC:\Windows\system32\Jlafhkfe.exe61⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe62⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe63⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Mldhacpj.exeC:\Windows\system32\Mldhacpj.exe64⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Njahki32.exeC:\Windows\system32\Njahki32.exe65⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3924 -
C:\Windows\SysWOW64\Agfnhf32.exeC:\Windows\system32\Agfnhf32.exe67⤵PID:2784
-
C:\Windows\SysWOW64\Bpkbmi32.exeC:\Windows\system32\Bpkbmi32.exe68⤵PID:4984
-
C:\Windows\SysWOW64\Bkglkapo.exeC:\Windows\system32\Bkglkapo.exe69⤵PID:1836
-
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3804 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe71⤵
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe72⤵PID:3076
-
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Enigjh32.exeC:\Windows\system32\Enigjh32.exe74⤵PID:2208
-
C:\Windows\SysWOW64\Neeifa32.exeC:\Windows\system32\Neeifa32.exe75⤵PID:4788
-
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe76⤵
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Pimmil32.exeC:\Windows\system32\Pimmil32.exe77⤵PID:3176
-
C:\Windows\SysWOW64\Qfanbpjg.exeC:\Windows\system32\Qfanbpjg.exe78⤵PID:784
-
C:\Windows\SysWOW64\Aidcjk32.exeC:\Windows\system32\Aidcjk32.exe79⤵PID:324
-
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Amblpikl.exeC:\Windows\system32\Amblpikl.exe81⤵PID:3404
-
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4668 -
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe83⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Fjcjpb32.exeC:\Windows\system32\Fjcjpb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4412 -
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe85⤵PID:1464
-
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4316 -
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Ogoncd32.exeC:\Windows\system32\Ogoncd32.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Aldeap32.exeC:\Windows\system32\Aldeap32.exe89⤵PID:4184
-
C:\Windows\SysWOW64\Blnhgn32.exeC:\Windows\system32\Blnhgn32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:232 -
C:\Windows\SysWOW64\Bbhqdhnm.exeC:\Windows\system32\Bbhqdhnm.exe91⤵PID:432
-
C:\Windows\SysWOW64\Biaiqb32.exeC:\Windows\system32\Biaiqb32.exe92⤵PID:4324
-
C:\Windows\SysWOW64\Bifblbad.exeC:\Windows\system32\Bifblbad.exe93⤵PID:4304
-
C:\Windows\SysWOW64\Cpbgnlfo.exeC:\Windows\system32\Cpbgnlfo.exe94⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Caimachg.exeC:\Windows\system32\Caimachg.exe95⤵PID:1824
-
C:\Windows\SysWOW64\Cipebqij.exeC:\Windows\system32\Cipebqij.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Elojej32.exeC:\Windows\system32\Elojej32.exe97⤵PID:4512
-
C:\Windows\SysWOW64\Eqopqh32.exeC:\Windows\system32\Eqopqh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe99⤵PID:4340
-
C:\Windows\SysWOW64\Fjlmdmqj.exeC:\Windows\system32\Fjlmdmqj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3824 -
C:\Windows\SysWOW64\Hifmhf32.exeC:\Windows\system32\Hifmhf32.exe101⤵PID:4540
-
C:\Windows\SysWOW64\Hppedpkf.exeC:\Windows\system32\Hppedpkf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Hpgkeodo.exeC:\Windows\system32\Hpgkeodo.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Icgqqmib.exeC:\Windows\system32\Icgqqmib.exe104⤵PID:3248
-
C:\Windows\SysWOW64\Iidiidgj.exeC:\Windows\system32\Iidiidgj.exe105⤵PID:4424
-
C:\Windows\SysWOW64\Ipnaen32.exeC:\Windows\system32\Ipnaen32.exe106⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Ibojgikg.exeC:\Windows\system32\Ibojgikg.exe107⤵PID:4940
-
C:\Windows\SysWOW64\Iapjeq32.exeC:\Windows\system32\Iapjeq32.exe108⤵PID:2344
-
C:\Windows\SysWOW64\Jikojcaa.exeC:\Windows\system32\Jikojcaa.exe109⤵PID:4928
-
C:\Windows\SysWOW64\Jjoeoedo.exeC:\Windows\system32\Jjoeoedo.exe110⤵PID:4624
-
C:\Windows\SysWOW64\Jkaadebl.exeC:\Windows\system32\Jkaadebl.exe111⤵PID:264
-
C:\Windows\SysWOW64\Jdjfmjhm.exeC:\Windows\system32\Jdjfmjhm.exe112⤵PID:3768
-
C:\Windows\SysWOW64\Kdlcbjfj.exeC:\Windows\system32\Kdlcbjfj.exe113⤵
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Kmegkp32.exeC:\Windows\system32\Kmegkp32.exe114⤵PID:4912
-
C:\Windows\SysWOW64\Kdophj32.exeC:\Windows\system32\Kdophj32.exe115⤵PID:2388
-
C:\Windows\SysWOW64\Ldmlih32.exeC:\Windows\system32\Ldmlih32.exe116⤵PID:4404
-
C:\Windows\SysWOW64\Lpcmoi32.exeC:\Windows\system32\Lpcmoi32.exe117⤵PID:656
-
C:\Windows\SysWOW64\Lkiqla32.exeC:\Windows\system32\Lkiqla32.exe118⤵PID:4016
-
C:\Windows\SysWOW64\Ncpelbap.exeC:\Windows\system32\Ncpelbap.exe119⤵PID:1224
-
C:\Windows\SysWOW64\Okeinn32.exeC:\Windows\system32\Okeinn32.exe120⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ocqncp32.exeC:\Windows\system32\Ocqncp32.exe121⤵PID:1272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-