Analysis
-
max time kernel
125s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 06:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a307924564c9ea72607ea48154965430_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a307924564c9ea72607ea48154965430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a307924564c9ea72607ea48154965430_NeikiAnalytics.exe
-
Size
59KB
-
MD5
a307924564c9ea72607ea48154965430
-
SHA1
d476468dcc72fee75ac6691a19a543360acfeb64
-
SHA256
f0480974e9e48095d76adbe66047581124b8f88794d9a74bcc9761e1e4f2a190
-
SHA512
be84f764ffd34dcdd27dba5d26c92f3c2c2af4d52fc2215eed0f6bdb0f6d7631272f4d06b040c7e976a6c269b2013565e6e92c7613cc230deaecbe1bcb57e7ca
-
SSDEEP
768:Q4+0Bseo0zJuZs+qSz32lo8X7BW5u3k2HBPhu5IQEa2p/1H5KoXdnhfXaXdnh:hBseo0zEqVW5b2H5h4Iva2Ls6O
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpolbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omegjomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfolacnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaagkcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamjda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njinmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkegpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbfcigf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojomcopk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhkfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfhbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfihmo.exe -
Executes dropped EXE 64 IoCs
pid Process 4812 Mebcop32.exe 1228 Mgaokl32.exe 2440 Mjokgg32.exe 3020 Mmnhcb32.exe 4908 Mchppmij.exe 4268 Mkohaj32.exe 2880 Mnmdme32.exe 3752 Mmpdhboj.exe 4884 Mcjmel32.exe 5068 Mjdebfnd.exe 4548 Mmbanbmg.exe 1448 Meiioonj.exe 1280 Nlcalieg.exe 3420 Nnbnhedj.exe 2720 Napjdpcn.exe 4536 Ncofplba.exe 940 Ngjbaj32.exe 5064 Njinmf32.exe 4892 Nenbjo32.exe 2216 Nhmofj32.exe 804 Njkkbehl.exe 676 Nmigoagp.exe 1040 Neqopnhb.exe 3972 Nhokljge.exe 1480 Njmhhefi.exe 3188 Nmlddqem.exe 2100 Neclenfo.exe 4588 Nlmdbh32.exe 1324 Nnkpnclp.exe 2900 Oeehkn32.exe 1644 Odhifjkg.exe 4704 Ojbacd32.exe 1876 Omqmop32.exe 4132 Oeheqm32.exe 2320 Odjeljhd.exe 4128 Olanmgig.exe 4768 Onpjichj.exe 884 Omcjep32.exe 216 Oejbfmpg.exe 4332 Odmbaj32.exe 536 Ojgjndno.exe 3932 Oobfob32.exe 700 Omegjomb.exe 4868 Oelolmnd.exe 4756 Ohkkhhmh.exe 988 Olfghg32.exe 4324 Oodcdb32.exe 3956 Oeokal32.exe 3400 Ohmhmh32.exe 3976 Olicnfco.exe 3132 Oogpjbbb.exe 3224 Peahgl32.exe 1164 Phodcg32.exe 5024 Pknqoc32.exe 3064 Pecellgl.exe 3100 Pmoiqneg.exe 1852 Pefabkej.exe 4700 Phdnngdn.exe 2548 Pkbjjbda.exe 5072 Pehngkcg.exe 5028 Phfjcf32.exe 1284 Pkegpb32.exe 1952 Pmcclm32.exe 1316 Pejkmk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppdbgncl.exe Pqbala32.exe File opened for modification C:\Windows\SysWOW64\Mkohaj32.exe Mchppmij.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Dnpdegjp.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aokkahlo.exe File created C:\Windows\SysWOW64\Jklliiom.dll Ibegfglj.exe File created C:\Windows\SysWOW64\Mkohaj32.exe Mchppmij.exe File created C:\Windows\SysWOW64\Eeccjdie.dll Kofkbk32.exe File opened for modification C:\Windows\SysWOW64\Ibqnkh32.exe Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Amlogfel.exe File created C:\Windows\SysWOW64\Olekop32.dll Haaaaeim.exe File created C:\Windows\SysWOW64\Kofljo32.dll Nckkfp32.exe File opened for modification C:\Windows\SysWOW64\Nmjfodne.exe Niojoeel.exe File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe Dkhnjk32.exe File opened for modification C:\Windows\SysWOW64\Hedafk32.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Johnamkm.exe File opened for modification C:\Windows\SysWOW64\Phcgcqab.exe Pmnbfhal.exe File created C:\Windows\SysWOW64\Neclenfo.exe Nmlddqem.exe File created C:\Windows\SysWOW64\Iefeek32.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Qapnmopa.exe Qiiflaoo.exe File created C:\Windows\SysWOW64\Mneoha32.dll Jimldogg.exe File created C:\Windows\SysWOW64\Ejhfdb32.dll Kbhmbdle.exe File opened for modification C:\Windows\SysWOW64\Qclmck32.exe Qamago32.exe File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe Cancekeo.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Bdpaeehj.exe Baadiiif.exe File opened for modification C:\Windows\SysWOW64\Mgloefco.exe Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Ilphdlqh.exe Iialhaad.exe File created C:\Windows\SysWOW64\Mnokmd32.dll Dmjmekgn.exe File created C:\Windows\SysWOW64\Lcckiibj.dll Afcmfe32.exe File created C:\Windows\SysWOW64\Cghane32.dll Cleegp32.exe File created C:\Windows\SysWOW64\Deqcbpld.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Fpejkd32.dll Gfjkjo32.exe File opened for modification C:\Windows\SysWOW64\Iijfhbhl.exe Ibqnkh32.exe File opened for modification C:\Windows\SysWOW64\Adepji32.exe Amkhmoap.exe File created C:\Windows\SysWOW64\Pbbmemif.dll Bffcpg32.exe File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Foapaa32.exe File opened for modification C:\Windows\SysWOW64\Nqoloc32.exe Nhhdnf32.exe File created C:\Windows\SysWOW64\Ofegni32.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Baepolni.exe Binhnomg.exe File created C:\Windows\SysWOW64\Omqmop32.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Fihnomjp.exe Efjbcakl.exe File created C:\Windows\SysWOW64\Ckbcpc32.dll Pdmdnadc.exe File created C:\Windows\SysWOW64\Cogddd32.exe Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Palklf32.exe Pjbcplpe.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pejkmk32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Kjjbjd32.exe File created C:\Windows\SysWOW64\Chqogq32.exe Cfbcke32.exe File opened for modification C:\Windows\SysWOW64\Cgnomg32.exe Cpdgqmnb.exe File created C:\Windows\SysWOW64\Fkdjqkoj.dll Giecfejd.exe File created C:\Windows\SysWOW64\Hiciojhd.dll Khgbqkhj.exe File created C:\Windows\SysWOW64\Mbbiec32.dll Aonoao32.exe File created C:\Windows\SysWOW64\Cnfaohbj.exe Cocacl32.exe File created C:\Windows\SysWOW64\Hbldphde.exe Hpmhdmea.exe File opened for modification C:\Windows\SysWOW64\Bbhildae.exe Bpjmph32.exe File opened for modification C:\Windows\SysWOW64\Joekag32.exe Jlgoek32.exe File created C:\Windows\SysWOW64\Bhnikc32.exe Bdbnjdfg.exe File created C:\Windows\SysWOW64\Feoodn32.exe Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Ehbnigjj.exe Eqlfhjig.exe File opened for modification C:\Windows\SysWOW64\Olanmgig.exe Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Oejbfmpg.exe Omcjep32.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15332 15248 WerFault.exe 762 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomfgoah.dll" Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll" Hnlodjpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadgnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohqnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmdme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojomm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdllgpbm.dll" Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbenoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqadgkdb.dll" Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknhkd32.dll" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" Lckboblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhbqbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjeiodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldqfd32.dll" Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbebbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmphaaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll" Ombcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckkfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" Mfkkqmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlkdhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olekop32.dll" Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iijfhbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpaeehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmkmfbo.dll" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll" Qbajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Ddgplado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" Gkaclqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbajeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkgeainn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhanngbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll" Nfohgqlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll" Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4812 4964 a307924564c9ea72607ea48154965430_NeikiAnalytics.exe 90 PID 4964 wrote to memory of 4812 4964 a307924564c9ea72607ea48154965430_NeikiAnalytics.exe 90 PID 4964 wrote to memory of 4812 4964 a307924564c9ea72607ea48154965430_NeikiAnalytics.exe 90 PID 4812 wrote to memory of 1228 4812 Mebcop32.exe 91 PID 4812 wrote to memory of 1228 4812 Mebcop32.exe 91 PID 4812 wrote to memory of 1228 4812 Mebcop32.exe 91 PID 1228 wrote to memory of 2440 1228 Mgaokl32.exe 92 PID 1228 wrote to memory of 2440 1228 Mgaokl32.exe 92 PID 1228 wrote to memory of 2440 1228 Mgaokl32.exe 92 PID 2440 wrote to memory of 3020 2440 Mjokgg32.exe 93 PID 2440 wrote to memory of 3020 2440 Mjokgg32.exe 93 PID 2440 wrote to memory of 3020 2440 Mjokgg32.exe 93 PID 3020 wrote to memory of 4908 3020 Mmnhcb32.exe 94 PID 3020 wrote to memory of 4908 3020 Mmnhcb32.exe 94 PID 3020 wrote to memory of 4908 3020 Mmnhcb32.exe 94 PID 4908 wrote to memory of 4268 4908 Mchppmij.exe 95 PID 4908 wrote to memory of 4268 4908 Mchppmij.exe 95 PID 4908 wrote to memory of 4268 4908 Mchppmij.exe 95 PID 4268 wrote to memory of 2880 4268 Mkohaj32.exe 96 PID 4268 wrote to memory of 2880 4268 Mkohaj32.exe 96 PID 4268 wrote to memory of 2880 4268 Mkohaj32.exe 96 PID 2880 wrote to memory of 3752 2880 Mnmdme32.exe 97 PID 2880 wrote to memory of 3752 2880 Mnmdme32.exe 97 PID 2880 wrote to memory of 3752 2880 Mnmdme32.exe 97 PID 3752 wrote to memory of 4884 3752 Mmpdhboj.exe 99 PID 3752 wrote to memory of 4884 3752 Mmpdhboj.exe 99 PID 3752 wrote to memory of 4884 3752 Mmpdhboj.exe 99 PID 4884 wrote to memory of 5068 4884 Mcjmel32.exe 100 PID 4884 wrote to memory of 5068 4884 Mcjmel32.exe 100 PID 4884 wrote to memory of 5068 4884 Mcjmel32.exe 100 PID 5068 wrote to memory of 4548 5068 Mjdebfnd.exe 101 PID 5068 wrote to memory of 4548 5068 Mjdebfnd.exe 101 PID 5068 wrote to memory of 4548 5068 Mjdebfnd.exe 101 PID 4548 wrote to memory of 1448 4548 Mmbanbmg.exe 102 PID 4548 wrote to memory of 1448 4548 Mmbanbmg.exe 102 PID 4548 wrote to memory of 1448 4548 Mmbanbmg.exe 102 PID 1448 wrote to memory of 1280 1448 Meiioonj.exe 103 PID 1448 wrote to memory of 1280 1448 Meiioonj.exe 103 PID 1448 wrote to memory of 1280 1448 Meiioonj.exe 103 PID 1280 wrote to memory of 3420 1280 Nlcalieg.exe 105 PID 1280 wrote to memory of 3420 1280 Nlcalieg.exe 105 PID 1280 wrote to memory of 3420 1280 Nlcalieg.exe 105 PID 3420 wrote to memory of 2720 3420 Nnbnhedj.exe 106 PID 3420 wrote to memory of 2720 3420 Nnbnhedj.exe 106 PID 3420 wrote to memory of 2720 3420 Nnbnhedj.exe 106 PID 2720 wrote to memory of 4536 2720 Napjdpcn.exe 107 PID 2720 wrote to memory of 4536 2720 Napjdpcn.exe 107 PID 2720 wrote to memory of 4536 2720 Napjdpcn.exe 107 PID 4536 wrote to memory of 940 4536 Ncofplba.exe 108 PID 4536 wrote to memory of 940 4536 Ncofplba.exe 108 PID 4536 wrote to memory of 940 4536 Ncofplba.exe 108 PID 940 wrote to memory of 5064 940 Ngjbaj32.exe 109 PID 940 wrote to memory of 5064 940 Ngjbaj32.exe 109 PID 940 wrote to memory of 5064 940 Ngjbaj32.exe 109 PID 5064 wrote to memory of 4892 5064 Njinmf32.exe 110 PID 5064 wrote to memory of 4892 5064 Njinmf32.exe 110 PID 5064 wrote to memory of 4892 5064 Njinmf32.exe 110 PID 4892 wrote to memory of 2216 4892 Nenbjo32.exe 111 PID 4892 wrote to memory of 2216 4892 Nenbjo32.exe 111 PID 4892 wrote to memory of 2216 4892 Nenbjo32.exe 111 PID 2216 wrote to memory of 804 2216 Nhmofj32.exe 112 PID 2216 wrote to memory of 804 2216 Nhmofj32.exe 112 PID 2216 wrote to memory of 804 2216 Nhmofj32.exe 112 PID 804 wrote to memory of 676 804 Njkkbehl.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\a307924564c9ea72607ea48154965430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a307924564c9ea72607ea48154965430_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe23⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe24⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe25⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe26⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3188 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe29⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Nnkpnclp.exeC:\Windows\system32\Nnkpnclp.exe30⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe31⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe32⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe34⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe35⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe37⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe38⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe40⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe41⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe42⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe43⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe45⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe46⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe47⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe49⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe50⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe51⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe52⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe53⤵PID:4568
-
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe54⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe56⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe57⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe58⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe61⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe62⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe63⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe67⤵PID:5128
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe68⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe69⤵PID:5212
-
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe70⤵PID:5260
-
C:\Windows\SysWOW64\Qhkdof32.exeC:\Windows\system32\Qhkdof32.exe71⤵PID:5296
-
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe72⤵PID:5344
-
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe73⤵PID:5392
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe74⤵PID:5436
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe75⤵PID:5496
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe76⤵PID:5544
-
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe77⤵PID:5588
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe78⤵PID:5628
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe79⤵PID:5668
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe80⤵PID:5716
-
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe82⤵PID:5804
-
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe83⤵PID:5848
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe85⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe86⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe87⤵PID:6028
-
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe89⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe90⤵PID:5140
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe91⤵PID:5208
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe92⤵PID:5284
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe93⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe95⤵
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe96⤵PID:5624
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe97⤵PID:5692
-
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe98⤵PID:5752
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe99⤵PID:5840
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe100⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe101⤵PID:5968
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe102⤵PID:5992
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe103⤵PID:6112
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe104⤵PID:5200
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe105⤵PID:5280
-
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe107⤵PID:5580
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe108⤵PID:5680
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe109⤵
- Modifies registry class
PID:5780 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe110⤵PID:5952
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe111⤵PID:5448
-
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe112⤵PID:6108
-
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe114⤵PID:5400
-
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe115⤵PID:5696
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe116⤵PID:5812
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe117⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe119⤵PID:5388
-
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe120⤵PID:5940
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-