Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 20:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe
-
Size
256KB
-
MD5
e9f6eef37fe4be1827d53d66506065a0
-
SHA1
342a299e53c470a6cb8dd62c6cf1dc36214e1b70
-
SHA256
05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe
-
SHA512
d114cc366c44a7afcf62474d5d264853d52250ebe46f48c2e756fd4d40ce00dcc861fd15f8b15764b82c48127fc7a166d0aa141d2831bdaf0f847efd54ac1c21
-
SSDEEP
6144:/Kc25wiv99C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:yNTV9C8HByvNv54B9f01ZmHBy9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjohi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddihfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fefjanml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dilmeida.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcaqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalpigkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dggkipii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqjbddpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgihanii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebfign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmima32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debnjgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhogamih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbfhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqoloc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhmfkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flaiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjdbda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cegnol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndnnianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddokabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiamnpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gngeik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnenlka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecbge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkadlcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbknhqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjcmngnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kebodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keghocao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eipilmgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdbda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqbbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdjfohjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imknli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfhlpnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejgbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpmomo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1876 Iojbpo32.exe 4488 Ilcldb32.exe 3604 Jpenfp32.exe 4764 Jokkgl32.exe 4248 Klcekpdo.exe 3996 Klfaapbl.exe 4520 Kjjbjd32.exe 620 Kcbfcigf.exe 2540 Loighj32.exe 2268 Lfeljd32.exe 1728 Nqmfdj32.exe 4848 Nnafno32.exe 4924 Nfohgqlg.exe 2608 Nadleilm.exe 4632 Njmqnobn.exe 3692 Nceefd32.exe 2468 Ojfcdnjc.exe 3904 Pnfiplog.exe 1132 Pccahbmn.exe 2876 Pmlfqh32.exe 4552 Phfcipoo.exe 2780 Qhhpop32.exe 3880 Qhjmdp32.exe 996 Qpeahb32.exe 4324 Ahofoogd.exe 5016 Apjkcadp.exe 3276 Akblfj32.exe 5076 Aaldccip.exe 2348 Akdilipp.exe 4308 Apaadpng.exe 4436 Bpdnjple.exe 3384 Bogkmgba.exe 1448 Bpkdjofm.exe 4904 Bnoddcef.exe 4592 Ckgohf32.exe 3056 Dddllkbf.exe 1036 Dojqjdbl.exe 3660 Damfao32.exe 1544 Dhgonidg.exe 1564 Enfckp32.exe 2960 Edplhjhi.exe 1828 Eklajcmc.exe 2784 Ebfign32.exe 3844 Ehpadhll.exe 2600 Ebifmm32.exe 4620 Egened32.exe 4028 Ekcgkb32.exe 3884 Figgdg32.exe 4328 Fkofga32.exe 964 Gpmomo32.exe 4604 Gkdpbpih.exe 3132 Gaqhjggp.exe 1232 Gpaihooo.exe 4776 Gijmad32.exe 4612 Gngeik32.exe 4344 Hnibokbd.exe 696 Hlmchoan.exe 4640 Hiacacpg.exe 3964 Halhfe32.exe 3776 Hpmhdmea.exe 1844 Haodle32.exe 3888 Ihkjno32.exe 1472 Iacngdgj.exe 3836 Ihmfco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lfeljd32.exe Loighj32.exe File opened for modification C:\Windows\SysWOW64\Mdddhlbl.exe Mmjlkb32.exe File created C:\Windows\SysWOW64\Eejcki32.exe Eblgon32.exe File opened for modification C:\Windows\SysWOW64\Eldlhckj.exe Eejcki32.exe File created C:\Windows\SysWOW64\Pddlig32.dll Hjaioe32.exe File created C:\Windows\SysWOW64\Kipiefce.dll Apngjd32.exe File created C:\Windows\SysWOW64\Mknlef32.exe Mdddhlbl.exe File created C:\Windows\SysWOW64\Flghognq.exe Fempbm32.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Ahofoogd.exe File created C:\Windows\SysWOW64\Gcfjfqah.exe Gllajf32.exe File opened for modification C:\Windows\SysWOW64\Lhopgg32.exe Ladhkmno.exe File created C:\Windows\SysWOW64\Kaalbnpg.dll Ginenk32.exe File created C:\Windows\SysWOW64\Mhjpceko.exe Mapgfk32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Pnfiplog.exe Ojfcdnjc.exe File created C:\Windows\SysWOW64\Bfmpaf32.dll Objkmkjj.exe File created C:\Windows\SysWOW64\Pjjfdfbb.exe Pcpnhl32.exe File opened for modification C:\Windows\SysWOW64\Hqkjaifk.exe Hnmnengg.exe File created C:\Windows\SysWOW64\Oenmdg32.dll Aecbge32.exe File created C:\Windows\SysWOW64\Dilmeida.exe Djklgb32.exe File created C:\Windows\SysWOW64\Oeeape32.dll Bpdnjple.exe File created C:\Windows\SysWOW64\Fooqlnoa.dll Lhmafcnf.exe File created C:\Windows\SysWOW64\Dkdeofjc.dll Icefib32.exe File created C:\Windows\SysWOW64\Hladlc32.exe Hokgmpkl.exe File created C:\Windows\SysWOW64\Mhmmieil.exe Mhjpceko.exe File created C:\Windows\SysWOW64\Dddllkbf.exe Ckgohf32.exe File created C:\Windows\SysWOW64\Flcmpceo.dll Mkocol32.exe File created C:\Windows\SysWOW64\Kcblbn32.dll Ijonfmbn.exe File created C:\Windows\SysWOW64\Hhcajd32.dll Ladhkmno.exe File created C:\Windows\SysWOW64\Oedeli32.dll Lhcjbfag.exe File created C:\Windows\SysWOW64\Haodle32.exe Hpmhdmea.exe File opened for modification C:\Windows\SysWOW64\Nkjckkcg.exe Ndpjnq32.exe File created C:\Windows\SysWOW64\Lndfchdj.exe Ldoafodd.exe File created C:\Windows\SysWOW64\Obnnnc32.exe Ollljmhg.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Cgjcfgoa.exe File created C:\Windows\SysWOW64\Inopfb32.dll Mmbopm32.exe File created C:\Windows\SysWOW64\Nadleilm.exe Nfohgqlg.exe File created C:\Windows\SysWOW64\Nalhik32.dll Ckgohf32.exe File created C:\Windows\SysWOW64\Cgfbbb32.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Lennjaej.dll Jegohe32.exe File created C:\Windows\SysWOW64\Lkbmih32.exe Leedqa32.exe File opened for modification C:\Windows\SysWOW64\Gcfjfqah.exe Gllajf32.exe File opened for modification C:\Windows\SysWOW64\Ebfign32.exe Eklajcmc.exe File created C:\Windows\SysWOW64\Cmgilf32.dll Mjnnbk32.exe File opened for modification C:\Windows\SysWOW64\Hqdkkp32.exe Gjkbnfha.exe File created C:\Windows\SysWOW64\Pblcieig.dll Gmfkjl32.exe File opened for modification C:\Windows\SysWOW64\Qhhpop32.exe Phfcipoo.exe File created C:\Windows\SysWOW64\Anafep32.dll Mfkkqmiq.exe File opened for modification C:\Windows\SysWOW64\Nlqloo32.exe Nakhaf32.exe File opened for modification C:\Windows\SysWOW64\Kebodc32.exe Kjmjgk32.exe File opened for modification C:\Windows\SysWOW64\Klfaapbl.exe Klcekpdo.exe File opened for modification C:\Windows\SysWOW64\Koonge32.exe Kolabf32.exe File created C:\Windows\SysWOW64\Hebcao32.exe Hnhkdd32.exe File opened for modification C:\Windows\SysWOW64\Ljoiibbm.exe Lcealh32.exe File created C:\Windows\SysWOW64\Apaadpng.exe Akdilipp.exe File created C:\Windows\SysWOW64\Fnglcqio.exe Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Foakpc32.exe Fbjjkble.exe File created C:\Windows\SysWOW64\Ladhkmno.exe Ljjpnb32.exe File created C:\Windows\SysWOW64\Qfpebmne.dll Lplaaiqd.exe File created C:\Windows\SysWOW64\Flekihpc.exe Fekclnif.exe File created C:\Windows\SysWOW64\Bpdnjple.exe Apaadpng.exe File created C:\Windows\SysWOW64\Mpaqbf32.dll Hiacacpg.exe File created C:\Windows\SysWOW64\Jbccge32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Pcgdhkem.exe Piapkbeg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5732 5324 WerFault.exe 519 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjfogbjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckafkfkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dggkipii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ephbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jegohe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgemahmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Ebfign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihaidhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgbfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeoad32.dll" Eoladdeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpjjpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegfb32.dll" Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cghgpgqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpehef32.dll" Gngeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iagqgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jelonkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dcmedk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgjcfgoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjcnl32.dll" Hnhkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdlgmgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdjfohjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhmafcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nakhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdodk32.dll" Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fekclnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmenm32.dll" Iojkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dahfkimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhnhajba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jacpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accheolp.dll" Flaiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddehb32.dll" Dlbfmjqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjfoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mapgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll" Lbebilli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aecbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhmmieil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apleaenp.dll" Eejcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcpchlo.dll" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjihfbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apngjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epaemojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nolekd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dndlba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjcikejg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpqoe32.dll" Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkoplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijmhkchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaefne32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 332 wrote to memory of 1876 332 05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe 391 PID 332 wrote to memory of 1876 332 05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe 391 PID 332 wrote to memory of 1876 332 05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe 391 PID 1876 wrote to memory of 4488 1876 Iojbpo32.exe 469 PID 1876 wrote to memory of 4488 1876 Iojbpo32.exe 469 PID 1876 wrote to memory of 4488 1876 Iojbpo32.exe 469 PID 4488 wrote to memory of 3604 4488 Ilcldb32.exe 94 PID 4488 wrote to memory of 3604 4488 Ilcldb32.exe 94 PID 4488 wrote to memory of 3604 4488 Ilcldb32.exe 94 PID 3604 wrote to memory of 4764 3604 Jpenfp32.exe 407 PID 3604 wrote to memory of 4764 3604 Jpenfp32.exe 407 PID 3604 wrote to memory of 4764 3604 Jpenfp32.exe 407 PID 4764 wrote to memory of 4248 4764 Jokkgl32.exe 96 PID 4764 wrote to memory of 4248 4764 Jokkgl32.exe 96 PID 4764 wrote to memory of 4248 4764 Jokkgl32.exe 96 PID 4248 wrote to memory of 3996 4248 Klcekpdo.exe 97 PID 4248 wrote to memory of 3996 4248 Klcekpdo.exe 97 PID 4248 wrote to memory of 3996 4248 Klcekpdo.exe 97 PID 3996 wrote to memory of 4520 3996 Klfaapbl.exe 98 PID 3996 wrote to memory of 4520 3996 Klfaapbl.exe 98 PID 3996 wrote to memory of 4520 3996 Klfaapbl.exe 98 PID 4520 wrote to memory of 620 4520 Kjjbjd32.exe 99 PID 4520 wrote to memory of 620 4520 Kjjbjd32.exe 99 PID 4520 wrote to memory of 620 4520 Kjjbjd32.exe 99 PID 620 wrote to memory of 2540 620 Kcbfcigf.exe 100 PID 620 wrote to memory of 2540 620 Kcbfcigf.exe 100 PID 620 wrote to memory of 2540 620 Kcbfcigf.exe 100 PID 2540 wrote to memory of 2268 2540 Loighj32.exe 101 PID 2540 wrote to memory of 2268 2540 Loighj32.exe 101 PID 2540 wrote to memory of 2268 2540 Loighj32.exe 101 PID 2268 wrote to memory of 1728 2268 Lfeljd32.exe 102 PID 2268 wrote to memory of 1728 2268 Lfeljd32.exe 102 PID 2268 wrote to memory of 1728 2268 Lfeljd32.exe 102 PID 1728 wrote to memory of 4848 1728 Nqmfdj32.exe 103 PID 1728 wrote to memory of 4848 1728 Nqmfdj32.exe 103 PID 1728 wrote to memory of 4848 1728 Nqmfdj32.exe 103 PID 4848 wrote to memory of 4924 4848 Nnafno32.exe 411 PID 4848 wrote to memory of 4924 4848 Nnafno32.exe 411 PID 4848 wrote to memory of 4924 4848 Nnafno32.exe 411 PID 4924 wrote to memory of 2608 4924 Nfohgqlg.exe 105 PID 4924 wrote to memory of 2608 4924 Nfohgqlg.exe 105 PID 4924 wrote to memory of 2608 4924 Nfohgqlg.exe 105 PID 2608 wrote to memory of 4632 2608 Nadleilm.exe 412 PID 2608 wrote to memory of 4632 2608 Nadleilm.exe 412 PID 2608 wrote to memory of 4632 2608 Nadleilm.exe 412 PID 4632 wrote to memory of 3692 4632 Njmqnobn.exe 438 PID 4632 wrote to memory of 3692 4632 Njmqnobn.exe 438 PID 4632 wrote to memory of 3692 4632 Njmqnobn.exe 438 PID 3692 wrote to memory of 2468 3692 Nceefd32.exe 108 PID 3692 wrote to memory of 2468 3692 Nceefd32.exe 108 PID 3692 wrote to memory of 2468 3692 Nceefd32.exe 108 PID 2468 wrote to memory of 3904 2468 Ojfcdnjc.exe 109 PID 2468 wrote to memory of 3904 2468 Ojfcdnjc.exe 109 PID 2468 wrote to memory of 3904 2468 Ojfcdnjc.exe 109 PID 3904 wrote to memory of 1132 3904 Pnfiplog.exe 110 PID 3904 wrote to memory of 1132 3904 Pnfiplog.exe 110 PID 3904 wrote to memory of 1132 3904 Pnfiplog.exe 110 PID 1132 wrote to memory of 2876 1132 Pccahbmn.exe 111 PID 1132 wrote to memory of 2876 1132 Pccahbmn.exe 111 PID 1132 wrote to memory of 2876 1132 Pccahbmn.exe 111 PID 2876 wrote to memory of 4552 2876 Pmlfqh32.exe 452 PID 2876 wrote to memory of 4552 2876 Pmlfqh32.exe 452 PID 2876 wrote to memory of 4552 2876 Pmlfqh32.exe 452 PID 4552 wrote to memory of 2780 4552 Phfcipoo.exe 431
Processes
-
C:\Users\Admin\AppData\Local\Temp\05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05df3a1d1025c1af94cef828257e14298cbcb439942b4597664df611c3df76fe_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Jokkgl32.exeC:\Windows\system32\Jokkgl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Kcbfcigf.exeC:\Windows\system32\Kcbfcigf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Nfohgqlg.exeC:\Windows\system32\Nfohgqlg.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe24⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3276 -
C:\Windows\SysWOW64\Aaldccip.exeC:\Windows\system32\Aaldccip.exe29⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe33⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Bpkdjofm.exeC:\Windows\system32\Bpkdjofm.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe35⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe37⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe39⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Dhgonidg.exeC:\Windows\system32\Dhgonidg.exe40⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe41⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Edplhjhi.exeC:\Windows\system32\Edplhjhi.exe42⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Ebfign32.exeC:\Windows\system32\Ebfign32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe45⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe47⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ekcgkb32.exeC:\Windows\system32\Ekcgkb32.exe48⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe49⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe50⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe52⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe53⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe54⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe55⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Gngeik32.exeC:\Windows\system32\Gngeik32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe57⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe58⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4640 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Haodle32.exeC:\Windows\system32\Haodle32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe63⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe64⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe65⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Ibcjqgnm.exeC:\Windows\system32\Ibcjqgnm.exe66⤵PID:1208
-
C:\Windows\SysWOW64\Iojkeh32.exeC:\Windows\system32\Iojkeh32.exe67⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe68⤵PID:2940
-
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4584 -
C:\Windows\SysWOW64\Iehmmb32.exeC:\Windows\system32\Iehmmb32.exe70⤵PID:2120
-
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe71⤵PID:4056
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe72⤵PID:5004
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe73⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe74⤵PID:4204
-
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe75⤵PID:4956
-
C:\Windows\SysWOW64\Khbiello.exeC:\Windows\system32\Khbiello.exe76⤵PID:3468
-
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe77⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Koonge32.exeC:\Windows\system32\Koonge32.exe78⤵PID:2080
-
C:\Windows\SysWOW64\Kamjda32.exeC:\Windows\system32\Kamjda32.exe79⤵PID:5144
-
C:\Windows\SysWOW64\Koajmepf.exeC:\Windows\system32\Koajmepf.exe80⤵
- Modifies registry class
PID:5184 -
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe81⤵PID:5236
-
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe82⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe83⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Lancko32.exeC:\Windows\system32\Lancko32.exe84⤵PID:5372
-
C:\Windows\SysWOW64\Lpochfji.exeC:\Windows\system32\Lpochfji.exe85⤵PID:5416
-
C:\Windows\SysWOW64\Mfkkqmiq.exeC:\Windows\system32\Mfkkqmiq.exe86⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Mjidgkog.exeC:\Windows\system32\Mjidgkog.exe87⤵PID:5508
-
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe88⤵PID:5556
-
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe90⤵PID:5648
-
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe91⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe92⤵PID:5736
-
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5780 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe94⤵PID:5824
-
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe95⤵PID:5868
-
C:\Windows\SysWOW64\Nqoloc32.exeC:\Windows\system32\Nqoloc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5916 -
C:\Windows\SysWOW64\Nfnamjhk.exeC:\Windows\system32\Nfnamjhk.exe97⤵PID:5960
-
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe98⤵PID:6004
-
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe99⤵PID:6048
-
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe100⤵PID:6092
-
C:\Windows\SysWOW64\Ojnfihmo.exeC:\Windows\system32\Ojnfihmo.exe101⤵PID:6136
-
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe102⤵PID:5180
-
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Ojemig32.exeC:\Windows\system32\Ojemig32.exe104⤵PID:5300
-
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe105⤵PID:5408
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe106⤵PID:5488
-
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe107⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe108⤵PID:5644
-
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe110⤵
- Modifies registry class
PID:5772 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe111⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe112⤵PID:5908
-
C:\Windows\SysWOW64\Ppnenlka.exeC:\Windows\system32\Ppnenlka.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Pjcikejg.exeC:\Windows\system32\Pjcikejg.exe114⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe115⤵PID:6104
-
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe116⤵PID:2628
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe117⤵PID:5304
-
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe118⤵PID:5404
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe119⤵PID:5544
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe120⤵PID:5628
-
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe121⤵PID:5768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-