Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
733691daf70ff5e8d6e4a3424e1cd4d0
-
SHA1
a53c4f8ddb2e897dafa8f744cb2775c385b2574d
-
SHA256
08a6504ef4a713cfcdfa8d1a0e3cda6cba6f651c8905c6532d42e469e16be876
-
SHA512
9b3310d631adfb4795a593bd5b1dcc9126d3a88339a11bb3ae7bdd09dfd69d3aa17ffff8c50ff0ff62a0e14e681e99f33082de4809a2d3979385aba8932b56e7
-
SSDEEP
1536:nJLQWDfA9OKMk6C17EaWGQLTxNXlO53q52IrFH:GWRKMS7EEQLTxNVg3qv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqoefand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflohaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfiokmkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofjqihnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcgcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgomnai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnfbcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiokinbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkmkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joahqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomffaag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccppmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iohejo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjoif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banjnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbegqjk.exe -
Executes dropped EXE 64 IoCs
pid Process 4500 Njmhhefi.exe 1112 Nmlddqem.exe 1128 Ndflak32.exe 1288 Nnkpnclp.exe 3152 Nmnqjp32.exe 3496 Oeehkn32.exe 2608 Oloahhki.exe 4348 Omqmop32.exe 4840 Oeheqm32.exe 4168 Ohfami32.exe 3536 Ojdnid32.exe 3096 Oanfen32.exe 4408 Ohhnbhok.exe 1384 Oldjcg32.exe 1984 Oaqbkn32.exe 448 Ohkkhhmh.exe 4064 Ojigdcll.exe 3604 Oeokal32.exe 3148 Olicnfco.exe 3528 Omjpeo32.exe 1972 Peahgl32.exe 2472 Phodcg32.exe 1756 Poimpapp.exe 1696 Pecellgl.exe 1492 Plmmif32.exe 3908 Pmoiqneg.exe 4804 Pefabkej.exe 4600 Ponfka32.exe 224 Pdkoch32.exe 1176 Plbfdekd.exe 676 Pmcclm32.exe 4824 Pldcjeia.exe 1776 Pocpfphe.exe 3516 Qdphngfl.exe 2404 Qhkdof32.exe 3472 Qoelkp32.exe 3980 Qhmqdemc.exe 4024 Amjillkj.exe 1440 Addaif32.exe 1960 Aojefobm.exe 2028 Anmfbl32.exe 4332 Ahbjoe32.exe 4304 Aolblopj.exe 3712 Aajohjon.exe 2952 Adikdfna.exe 3332 Akccap32.exe 4520 Anaomkdb.exe 5116 Aehgnied.exe 2336 Ahgcjddh.exe 2488 Aoalgn32.exe 1504 Aekddhcb.exe 4996 Akglloai.exe 5064 Bochmn32.exe 3704 Blgifbil.exe 2216 Bnhenj32.exe 2604 Badanigc.exe 732 Blielbfi.exe 1096 Bnkbcj32.exe 1780 Bebjdgmj.exe 1996 Bddjpd32.exe 1500 Bllbaa32.exe 3136 Bojomm32.exe 3612 Bahkih32.exe 3864 Bdgged32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pdkoch32.exe Ponfka32.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Eejeiocj.exe File opened for modification C:\Windows\SysWOW64\Jaajhb32.exe Jocnlg32.exe File created C:\Windows\SysWOW64\Kdohflaf.dll Llqjbhdc.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Ekmhejao.exe File created C:\Windows\SysWOW64\Eehicoel.exe Ebimgcfi.exe File opened for modification C:\Windows\SysWOW64\Bjfogbjb.exe Bdlfjh32.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Anmfbl32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Ndmdae32.dll Hlpfhe32.exe File created C:\Windows\SysWOW64\Iocmhlca.dll Bpcgpihi.exe File created C:\Windows\SysWOW64\Ehkaqc32.dll Iebngial.exe File created C:\Windows\SysWOW64\Kpdjljdk.dll Lckiihok.exe File created C:\Windows\SysWOW64\Iefphb32.exe Ibgdlg32.exe File created C:\Windows\SysWOW64\Hpoejj32.dll Ofjqihnn.exe File created C:\Windows\SysWOW64\Dheibpje.exe Ddjmba32.exe File created C:\Windows\SysWOW64\Dognaofl.dll Kamjda32.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cmbgdl32.exe File created C:\Windows\SysWOW64\Hkpmpo32.dll Ohhnbhok.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Bffcpg32.exe File opened for modification C:\Windows\SysWOW64\Eofgpikj.exe Emhkdmlg.exe File created C:\Windows\SysWOW64\Oingap32.dll Ahmjjoig.exe File created C:\Windows\SysWOW64\Dpkmal32.exe Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Lpgmhg32.exe Lhqefjpo.exe File created C:\Windows\SysWOW64\Bffcpg32.exe Bomkcm32.exe File opened for modification C:\Windows\SysWOW64\Cnfkdb32.exe Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Nmaciefp.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cpacqg32.exe File created C:\Windows\SysWOW64\Mbibld32.dll Clgbmp32.exe File opened for modification C:\Windows\SysWOW64\Cncnob32.exe Cgifbhid.exe File opened for modification C:\Windows\SysWOW64\Jlbejloe.exe Jidinqpb.exe File opened for modification C:\Windows\SysWOW64\Ilnbicff.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Fmamhbhe.dll Ckjknfnh.exe File created C:\Windows\SysWOW64\Mlofcf32.exe Mjpjgj32.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qoelkp32.exe File created C:\Windows\SysWOW64\Cnnnfkal.dll Ggfglb32.exe File opened for modification C:\Windows\SysWOW64\Jeocna32.exe Joekag32.exe File created C:\Windows\SysWOW64\Bdgged32.exe Bahkih32.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bheplb32.exe File created C:\Windows\SysWOW64\Pigbqakg.dll Ekdnei32.exe File created C:\Windows\SysWOW64\Oldjcg32.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Angdnk32.dll Dmohno32.exe File created C:\Windows\SysWOW64\Ojfcdnjc.exe Oanokhdb.exe File opened for modification C:\Windows\SysWOW64\Ppnenlka.exe Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Jmeede32.exe Jenmcggo.exe File created C:\Windows\SysWOW64\Abhemohm.dll Klahfp32.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Njbgmjgl.exe Nblolm32.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe Noppeaed.exe File opened for modification C:\Windows\SysWOW64\Amikgpcc.exe Ajjokd32.exe File created C:\Windows\SysWOW64\Dmcain32.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Ibaeen32.exe Hlglidlo.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Gbbajjlp.exe File opened for modification C:\Windows\SysWOW64\Hnnljj32.exe Hlppno32.exe File created C:\Windows\SysWOW64\Fnebjidl.dll Lohqnd32.exe File created C:\Windows\SysWOW64\Ojqhdcii.dll Mlofcf32.exe File created C:\Windows\SysWOW64\Cncijina.dll Oeheqm32.exe File created C:\Windows\SysWOW64\Jlolpq32.exe Jedccfqg.exe File created C:\Windows\SysWOW64\Hhihhecc.dll Bnkbcj32.exe File created C:\Windows\SysWOW64\Bqjoqdcl.dll Cndeii32.exe File created C:\Windows\SysWOW64\Fomnhddq.dll Cacckp32.exe File opened for modification C:\Windows\SysWOW64\Ibcjqgnm.exe Ipdndloi.exe File created C:\Windows\SysWOW64\Ejnnldhi.dll Cpljehpo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13708 13568 WerFault.exe 707 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaofbcjo.dll" Eiahnnph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" Eohmkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Bnhenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debcil32.dll" Noppeaed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmfklog.dll" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll" Adkqoohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfcklij.dll" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiahnnph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhmbdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafjpc32.dll" Apnndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeelnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll" Fecadghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgppbgc.dll" Lljdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngqagcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbiemdb.dll" Nnkpnclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaonjaj.dll" Ebkbbmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll" Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll" Pjoppf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oihmedma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqiibjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnfmqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Nimmifgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnindhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfgmnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcihgaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pekihfdc.dll" Jimldogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll" Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llobhg32.dll" Dakikoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qapnmopa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 660 wrote to memory of 4500 660 733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe 89 PID 660 wrote to memory of 4500 660 733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe 89 PID 660 wrote to memory of 4500 660 733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe 89 PID 4500 wrote to memory of 1112 4500 Njmhhefi.exe 90 PID 4500 wrote to memory of 1112 4500 Njmhhefi.exe 90 PID 4500 wrote to memory of 1112 4500 Njmhhefi.exe 90 PID 1112 wrote to memory of 1128 1112 Nmlddqem.exe 91 PID 1112 wrote to memory of 1128 1112 Nmlddqem.exe 91 PID 1112 wrote to memory of 1128 1112 Nmlddqem.exe 91 PID 1128 wrote to memory of 1288 1128 Ndflak32.exe 92 PID 1128 wrote to memory of 1288 1128 Ndflak32.exe 92 PID 1128 wrote to memory of 1288 1128 Ndflak32.exe 92 PID 1288 wrote to memory of 3152 1288 Nnkpnclp.exe 93 PID 1288 wrote to memory of 3152 1288 Nnkpnclp.exe 93 PID 1288 wrote to memory of 3152 1288 Nnkpnclp.exe 93 PID 3152 wrote to memory of 3496 3152 Nmnqjp32.exe 94 PID 3152 wrote to memory of 3496 3152 Nmnqjp32.exe 94 PID 3152 wrote to memory of 3496 3152 Nmnqjp32.exe 94 PID 3496 wrote to memory of 2608 3496 Oeehkn32.exe 95 PID 3496 wrote to memory of 2608 3496 Oeehkn32.exe 95 PID 3496 wrote to memory of 2608 3496 Oeehkn32.exe 95 PID 2608 wrote to memory of 4348 2608 Oloahhki.exe 96 PID 2608 wrote to memory of 4348 2608 Oloahhki.exe 96 PID 2608 wrote to memory of 4348 2608 Oloahhki.exe 96 PID 4348 wrote to memory of 4840 4348 Omqmop32.exe 97 PID 4348 wrote to memory of 4840 4348 Omqmop32.exe 97 PID 4348 wrote to memory of 4840 4348 Omqmop32.exe 97 PID 4840 wrote to memory of 4168 4840 Oeheqm32.exe 99 PID 4840 wrote to memory of 4168 4840 Oeheqm32.exe 99 PID 4840 wrote to memory of 4168 4840 Oeheqm32.exe 99 PID 4168 wrote to memory of 3536 4168 Ohfami32.exe 100 PID 4168 wrote to memory of 3536 4168 Ohfami32.exe 100 PID 4168 wrote to memory of 3536 4168 Ohfami32.exe 100 PID 3536 wrote to memory of 3096 3536 Ojdnid32.exe 101 PID 3536 wrote to memory of 3096 3536 Ojdnid32.exe 101 PID 3536 wrote to memory of 3096 3536 Ojdnid32.exe 101 PID 3096 wrote to memory of 4408 3096 Oanfen32.exe 103 PID 3096 wrote to memory of 4408 3096 Oanfen32.exe 103 PID 3096 wrote to memory of 4408 3096 Oanfen32.exe 103 PID 4408 wrote to memory of 1384 4408 Ohhnbhok.exe 104 PID 4408 wrote to memory of 1384 4408 Ohhnbhok.exe 104 PID 4408 wrote to memory of 1384 4408 Ohhnbhok.exe 104 PID 1384 wrote to memory of 1984 1384 Oldjcg32.exe 105 PID 1384 wrote to memory of 1984 1384 Oldjcg32.exe 105 PID 1384 wrote to memory of 1984 1384 Oldjcg32.exe 105 PID 1984 wrote to memory of 448 1984 Oaqbkn32.exe 106 PID 1984 wrote to memory of 448 1984 Oaqbkn32.exe 106 PID 1984 wrote to memory of 448 1984 Oaqbkn32.exe 106 PID 448 wrote to memory of 4064 448 Ohkkhhmh.exe 108 PID 448 wrote to memory of 4064 448 Ohkkhhmh.exe 108 PID 448 wrote to memory of 4064 448 Ohkkhhmh.exe 108 PID 4064 wrote to memory of 3604 4064 Ojigdcll.exe 109 PID 4064 wrote to memory of 3604 4064 Ojigdcll.exe 109 PID 4064 wrote to memory of 3604 4064 Ojigdcll.exe 109 PID 3604 wrote to memory of 3148 3604 Oeokal32.exe 110 PID 3604 wrote to memory of 3148 3604 Oeokal32.exe 110 PID 3604 wrote to memory of 3148 3604 Oeokal32.exe 110 PID 3148 wrote to memory of 3528 3148 Olicnfco.exe 111 PID 3148 wrote to memory of 3528 3148 Olicnfco.exe 111 PID 3148 wrote to memory of 3528 3148 Olicnfco.exe 111 PID 3528 wrote to memory of 1972 3528 Omjpeo32.exe 112 PID 3528 wrote to memory of 1972 3528 Omjpeo32.exe 112 PID 3528 wrote to memory of 1972 3528 Omjpeo32.exe 112 PID 1972 wrote to memory of 2472 1972 Peahgl32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\733691daf70ff5e8d6e4a3424e1cd4d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe24⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe25⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe26⤵PID:4556
-
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe27⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe28⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe29⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe31⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe32⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe34⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe35⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe36⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe37⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe39⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe40⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe42⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe45⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe46⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe47⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe48⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe49⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe50⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe51⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe52⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe53⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe54⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe55⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe56⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe58⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe59⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe64⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe66⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe68⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe69⤵
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe70⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe71⤵PID:5168
-
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe72⤵PID:5208
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe73⤵PID:5244
-
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe74⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe75⤵PID:5336
-
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe76⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe78⤵PID:5456
-
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe79⤵PID:5500
-
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe80⤵PID:5536
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe81⤵PID:5584
-
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe82⤵PID:5632
-
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe83⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe84⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe85⤵PID:5772
-
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe86⤵PID:5816
-
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe87⤵
- Modifies registry class
PID:5860 -
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe88⤵PID:5904
-
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe89⤵PID:5956
-
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe90⤵PID:6000
-
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe91⤵PID:6044
-
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe92⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe93⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe94⤵PID:5156
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe95⤵PID:5240
-
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe96⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe97⤵PID:5352
-
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe98⤵PID:5448
-
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe99⤵PID:5528
-
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe100⤵PID:5600
-
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe101⤵PID:5672
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe102⤵
- Drops file in System32 directory
PID:5752 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe103⤵PID:5812
-
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe105⤵PID:5988
-
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe106⤵PID:6036
-
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe107⤵
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\Dmennnni.exeC:\Windows\system32\Dmennnni.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5084 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe109⤵PID:5228
-
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe110⤵PID:5372
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe112⤵PID:5692
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe113⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Eofgpikj.exeC:\Windows\system32\Eofgpikj.exe114⤵PID:396
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe115⤵PID:5924
-
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe116⤵PID:6032
-
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe118⤵
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe120⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-