Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 09:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
af02f9a2b1c545f01cd526e40cc753b0
-
SHA1
0eb493141d2bf0e4aa9b091650b2735e1c59c33a
-
SHA256
0780ba8c9b1339c575a9a9262fc82780617b44108976594f996d3667adcd1667
-
SHA512
3dd738a551c692a1a1e64287f4cffa90de94afb7cdff95ea1a4e9963f6c306b2bdd494415caf71d335d5dd75d3130e42569eb07bd6bb1e693c4dc9d0813b6274
-
SSDEEP
1536:kHaahBtrwgOKAz9wlk/El0MrROF1JJzdk2Lk1WVPXuhiTMuZXGTIVefVDkryyAyW:+bhzMgqpQk/xMNOF1JhvayPXuhuXGQmV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfcbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcobjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhmko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimgba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnfhmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhcdlgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhcne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmooak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paocim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnihod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiiejnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeiahdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcqojqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doageg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihbaie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgflmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npkmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqcilgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogfkpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjahchpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmphjfab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enomic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hncmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emldhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbfaae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlfqngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapclned.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcdlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobomglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackiqpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnnjoam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgabpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjoedfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioopfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmojp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilkkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqaheai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkgfode.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnohinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadoii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bboplo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldgmgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcobjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehekjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckeikcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgqpaed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdlqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoenbkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onneeceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agiahlkf.exe -
Executes dropped EXE 64 IoCs
pid Process 3004 Lefkkg32.exe 4788 Mohbjkgp.exe 1912 Mahklf32.exe 3152 Napameoi.exe 3336 Ohncdobq.exe 1648 Ocknbglo.exe 1340 Pcpgmf32.exe 3920 Qmanljfo.exe 3372 Acppddig.exe 2660 Afqifo32.exe 3568 Bblcfo32.exe 4660 Bboplo32.exe 3188 Cpnpqakp.exe 2704 Ciiaogon.exe 1564 Dpjompqc.exe 1336 Dmplkd32.exe 5076 Emeffcid.exe 956 Eepkkefp.exe 4100 Ephlnn32.exe 4868 Elolco32.exe 964 Fnnimbaj.exe 3960 Fpoaom32.exe 1608 Fpandm32.exe 2740 Fdogjk32.exe 1516 Ffcpgcfj.exe 3292 Glabolja.exe 2880 Gmfkjl32.exe 1856 Hmkeekag.exe 384 Hgbfhc32.exe 1580 Hdicggla.exe 4484 Idkpmgjo.exe 260 Icqmncof.exe 4380 Inhmqlmj.exe 1696 Imnjbhaa.exe 2300 Jmpgghoo.exe 840 Japmcfcc.exe 4536 Jeneidji.exe 752 Kfdklllb.exe 2876 Maoakaip.exe 2788 Mmjlkb32.exe 2864 Mknlef32.exe 660 Nhbmnj32.exe 4968 Nhdicjfp.exe 2084 Naokbokn.exe 648 Nkjlqd32.exe 4644 Oeamcmmo.exe 492 Oediim32.exe 3000 Oakjnnap.exe 3952 Ofhcdlgg.exe 4844 Paocim32.exe 1212 Pkjegb32.exe 1964 Pdbiphhi.exe 3384 Pfbfjk32.exe 4056 Qkchna32.exe 324 Adnilfnl.exe 1464 Anijjkbj.exe 4404 Aeeomegd.exe 4268 Afdkfh32.exe 1440 Bbpeghpe.exe 1852 Bgokdomj.exe 4864 Bbeobhlp.exe 4208 Chfaenfb.exe 2444 Deagoa32.exe 3672 Dojlhg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Coffcd32.dll Jdmgok32.exe File created C:\Windows\SysWOW64\Llklna32.dll Pmbjcb32.exe File created C:\Windows\SysWOW64\Gelqhibk.dll Pafcjijo.exe File opened for modification C:\Windows\SysWOW64\Ikjcmi32.exe Hakidd32.exe File created C:\Windows\SysWOW64\Hifijmqd.dll Omigmc32.exe File opened for modification C:\Windows\SysWOW64\Eagahnob.exe Edcqojqh.exe File created C:\Windows\SysWOW64\Oilpjffh.dll Ijadljdg.exe File created C:\Windows\SysWOW64\Ckhlgilp.exe Cfldob32.exe File opened for modification C:\Windows\SysWOW64\Cffcilob.exe Cdggoi32.exe File opened for modification C:\Windows\SysWOW64\Pkjegb32.exe Paocim32.exe File created C:\Windows\SysWOW64\Lpcedbjp.exe Ldleoa32.exe File created C:\Windows\SysWOW64\Deehbe32.exe Cfdhdn32.exe File opened for modification C:\Windows\SysWOW64\Kgnbol32.exe Kkgbjkac.exe File created C:\Windows\SysWOW64\Jjfobp32.dll Mallojmd.exe File created C:\Windows\SysWOW64\Nomjgqpp.dll Ibicgmhe.exe File created C:\Windows\SysWOW64\Qjefmq32.dll Ahgjnpna.exe File opened for modification C:\Windows\SysWOW64\Hmioicek.exe Habndbpf.exe File created C:\Windows\SysWOW64\Chmehhpn.exe Ckidoc32.exe File created C:\Windows\SysWOW64\Djnfppqi.exe Dcdnce32.exe File created C:\Windows\SysWOW64\Eijbge32.exe Dkfanqmd.exe File created C:\Windows\SysWOW64\Fdiijemd.dll Fmfgoa32.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Qnlkllcf.exe File created C:\Windows\SysWOW64\Caioglje.dll Oeqagi32.exe File created C:\Windows\SysWOW64\Linojbdc.exe Ldqfddml.exe File created C:\Windows\SysWOW64\Qcobjk32.exe Qifnaecf.exe File opened for modification C:\Windows\SysWOW64\Gpkiklop.exe Gpimflqb.exe File created C:\Windows\SysWOW64\Nfmdccgi.dll Dhcfleff.exe File opened for modification C:\Windows\SysWOW64\Fanigb32.exe Falmabki.exe File created C:\Windows\SysWOW64\Ffqgddjj.dll Kgmlde32.exe File created C:\Windows\SysWOW64\Olijkhjb.dll Ehifak32.exe File created C:\Windows\SysWOW64\Lpmfnj32.exe Kgphje32.exe File created C:\Windows\SysWOW64\Bqdlmo32.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Iphcjffo.dll Lebalokn.exe File created C:\Windows\SysWOW64\Gdckdn32.dll Mqhmbqlh.exe File created C:\Windows\SysWOW64\Okcccdkp.exe Nnpcjplf.exe File opened for modification C:\Windows\SysWOW64\Pggbdgmm.exe Pjcbkbnc.exe File created C:\Windows\SysWOW64\Ppgeqijb.exe Pjkmhblk.exe File created C:\Windows\SysWOW64\Lcndab32.exe Lckglc32.exe File created C:\Windows\SysWOW64\Aoonpe32.dll Aphegjhc.exe File created C:\Windows\SysWOW64\Haajpgna.dll Epgpajdp.exe File created C:\Windows\SysWOW64\Hhkkdenm.dll Ecefjckj.exe File created C:\Windows\SysWOW64\Egnhnkmj.exe Ebapednb.exe File opened for modification C:\Windows\SysWOW64\Obccpj32.exe Ojhnlh32.exe File created C:\Windows\SysWOW64\Cilmpmki.exe Ckhlgilp.exe File created C:\Windows\SysWOW64\Gmdcpoid.exe Goccbhae.exe File created C:\Windows\SysWOW64\Akcgmn32.dll Goccbhae.exe File created C:\Windows\SysWOW64\Ibdiln32.exe Hdpicj32.exe File created C:\Windows\SysWOW64\Ofimck32.dll Canlfh32.exe File opened for modification C:\Windows\SysWOW64\Hgbfhc32.exe Hmkeekag.exe File created C:\Windows\SysWOW64\Fibocnnj.exe Fpjjkh32.exe File created C:\Windows\SysWOW64\Hjaogfhi.dll Jbjciano.exe File opened for modification C:\Windows\SysWOW64\Emaemefo.exe Eggmqk32.exe File created C:\Windows\SysWOW64\Ggoddakg.dll Jdpkoalc.exe File created C:\Windows\SysWOW64\Ccoolcnf.dll Ijcjgcni.exe File created C:\Windows\SysWOW64\Dajfhepb.dll Lcjchd32.exe File created C:\Windows\SysWOW64\Hkjjfkcm.exe Hembndee.exe File created C:\Windows\SysWOW64\Foenplji.exe Fiheheka.exe File opened for modification C:\Windows\SysWOW64\Gdjilphb.exe Gmpqof32.exe File created C:\Windows\SysWOW64\Khmjga32.exe Kbneij32.exe File opened for modification C:\Windows\SysWOW64\Ncdgmkio.exe Ngmggj32.exe File opened for modification C:\Windows\SysWOW64\Eimelg32.exe Ejkenpnp.exe File opened for modification C:\Windows\SysWOW64\Gmfkjl32.exe Glabolja.exe File opened for modification C:\Windows\SysWOW64\Cnfahn32.exe Cleeafbi.exe File created C:\Windows\SysWOW64\Bboplo32.exe Bblcfo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8228 1600 Process not Found 1147 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilhcmpeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emldhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eggmqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gokmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imieibie.dll" Lpcedbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qanlna32.dll" Fkiobhac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqjcgbbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbenjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojoflnjh.dll" Inombh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phpkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbkgfode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgjldfqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmoekem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajekb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mallojmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbegg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nboggf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqdbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiohnek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoalc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbeobhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beippj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbajnci.dll" Gimjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occnjp32.dll" Hmoehojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamikh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdedj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknah32.dll" Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhaae32.dll" Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daccdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll" Napameoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaabkj32.dll" Hhoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfkjpc.dll" Mnpice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjokpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmmbkdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdembk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdemn32.dll" Gkianp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndblob32.dll" Podcnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemnbd32.dll" Ggldde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cialka32.dll" Bocjdiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdjjgggk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efocbmni.dll" Lnnidjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efepln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akkfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmamhf32.dll" Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bboplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onlipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndolnm32.dll" Gndpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeqagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fppchile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldleoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblbapgo.dll" Hglaookl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkno32.dll" Eleikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifcbpdg.dll" Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaoao32.dll" Mogccnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmbqdfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 3004 5100 af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe 90 PID 5100 wrote to memory of 3004 5100 af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe 90 PID 5100 wrote to memory of 3004 5100 af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe 90 PID 3004 wrote to memory of 4788 3004 Lefkkg32.exe 91 PID 3004 wrote to memory of 4788 3004 Lefkkg32.exe 91 PID 3004 wrote to memory of 4788 3004 Lefkkg32.exe 91 PID 4788 wrote to memory of 1912 4788 Mohbjkgp.exe 92 PID 4788 wrote to memory of 1912 4788 Mohbjkgp.exe 92 PID 4788 wrote to memory of 1912 4788 Mohbjkgp.exe 92 PID 1912 wrote to memory of 3152 1912 Mahklf32.exe 93 PID 1912 wrote to memory of 3152 1912 Mahklf32.exe 93 PID 1912 wrote to memory of 3152 1912 Mahklf32.exe 93 PID 3152 wrote to memory of 3336 3152 Napameoi.exe 94 PID 3152 wrote to memory of 3336 3152 Napameoi.exe 94 PID 3152 wrote to memory of 3336 3152 Napameoi.exe 94 PID 3336 wrote to memory of 1648 3336 Ohncdobq.exe 95 PID 3336 wrote to memory of 1648 3336 Ohncdobq.exe 95 PID 3336 wrote to memory of 1648 3336 Ohncdobq.exe 95 PID 1648 wrote to memory of 1340 1648 Ocknbglo.exe 96 PID 1648 wrote to memory of 1340 1648 Ocknbglo.exe 96 PID 1648 wrote to memory of 1340 1648 Ocknbglo.exe 96 PID 1340 wrote to memory of 3920 1340 Pcpgmf32.exe 97 PID 1340 wrote to memory of 3920 1340 Pcpgmf32.exe 97 PID 1340 wrote to memory of 3920 1340 Pcpgmf32.exe 97 PID 3920 wrote to memory of 3372 3920 Qmanljfo.exe 98 PID 3920 wrote to memory of 3372 3920 Qmanljfo.exe 98 PID 3920 wrote to memory of 3372 3920 Qmanljfo.exe 98 PID 3372 wrote to memory of 2660 3372 Acppddig.exe 99 PID 3372 wrote to memory of 2660 3372 Acppddig.exe 99 PID 3372 wrote to memory of 2660 3372 Acppddig.exe 99 PID 2660 wrote to memory of 3568 2660 Afqifo32.exe 100 PID 2660 wrote to memory of 3568 2660 Afqifo32.exe 100 PID 2660 wrote to memory of 3568 2660 Afqifo32.exe 100 PID 3568 wrote to memory of 4660 3568 Bblcfo32.exe 101 PID 3568 wrote to memory of 4660 3568 Bblcfo32.exe 101 PID 3568 wrote to memory of 4660 3568 Bblcfo32.exe 101 PID 4660 wrote to memory of 3188 4660 Bboplo32.exe 102 PID 4660 wrote to memory of 3188 4660 Bboplo32.exe 102 PID 4660 wrote to memory of 3188 4660 Bboplo32.exe 102 PID 3188 wrote to memory of 2704 3188 Cpnpqakp.exe 103 PID 3188 wrote to memory of 2704 3188 Cpnpqakp.exe 103 PID 3188 wrote to memory of 2704 3188 Cpnpqakp.exe 103 PID 2704 wrote to memory of 1564 2704 Ciiaogon.exe 104 PID 2704 wrote to memory of 1564 2704 Ciiaogon.exe 104 PID 2704 wrote to memory of 1564 2704 Ciiaogon.exe 104 PID 1564 wrote to memory of 1336 1564 Dpjompqc.exe 105 PID 1564 wrote to memory of 1336 1564 Dpjompqc.exe 105 PID 1564 wrote to memory of 1336 1564 Dpjompqc.exe 105 PID 1336 wrote to memory of 5076 1336 Dmplkd32.exe 106 PID 1336 wrote to memory of 5076 1336 Dmplkd32.exe 106 PID 1336 wrote to memory of 5076 1336 Dmplkd32.exe 106 PID 5076 wrote to memory of 956 5076 Emeffcid.exe 107 PID 5076 wrote to memory of 956 5076 Emeffcid.exe 107 PID 5076 wrote to memory of 956 5076 Emeffcid.exe 107 PID 956 wrote to memory of 4100 956 Eepkkefp.exe 108 PID 956 wrote to memory of 4100 956 Eepkkefp.exe 108 PID 956 wrote to memory of 4100 956 Eepkkefp.exe 108 PID 4100 wrote to memory of 4868 4100 Ephlnn32.exe 109 PID 4100 wrote to memory of 4868 4100 Ephlnn32.exe 109 PID 4100 wrote to memory of 4868 4100 Ephlnn32.exe 109 PID 4868 wrote to memory of 964 4868 Elolco32.exe 111 PID 4868 wrote to memory of 964 4868 Elolco32.exe 111 PID 4868 wrote to memory of 964 4868 Elolco32.exe 111 PID 964 wrote to memory of 3960 964 Fnnimbaj.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\af02f9a2b1c545f01cd526e40cc753b0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bblcfo32.exeC:\Windows\system32\Bblcfo32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe23⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe24⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Fdogjk32.exeC:\Windows\system32\Fdogjk32.exe25⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ffcpgcfj.exeC:\Windows\system32\Ffcpgcfj.exe26⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe28⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Hgbfhc32.exeC:\Windows\system32\Hgbfhc32.exe30⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe31⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe32⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Icqmncof.exeC:\Windows\system32\Icqmncof.exe33⤵
- Executes dropped EXE
PID:260 -
C:\Windows\SysWOW64\Inhmqlmj.exeC:\Windows\system32\Inhmqlmj.exe34⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe35⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe36⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Japmcfcc.exeC:\Windows\system32\Japmcfcc.exe37⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe38⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Kfdklllb.exeC:\Windows\system32\Kfdklllb.exe39⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe40⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe41⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe42⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe43⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe44⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe45⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Nkjlqd32.exeC:\Windows\system32\Nkjlqd32.exe46⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe47⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe48⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe49⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Paocim32.exeC:\Windows\system32\Paocim32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4844 -
C:\Windows\SysWOW64\Pkjegb32.exeC:\Windows\system32\Pkjegb32.exe52⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Pdbiphhi.exeC:\Windows\system32\Pdbiphhi.exe53⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3384 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe55⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Adnilfnl.exeC:\Windows\system32\Adnilfnl.exe56⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe57⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe58⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Afdkfh32.exeC:\Windows\system32\Afdkfh32.exe59⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Bbpeghpe.exeC:\Windows\system32\Bbpeghpe.exe60⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe61⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Chfaenfb.exeC:\Windows\system32\Chfaenfb.exe63⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe64⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dojlhg32.exeC:\Windows\system32\Dojlhg32.exe65⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Dolinf32.exeC:\Windows\system32\Dolinf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776 -
C:\Windows\SysWOW64\Ehifak32.exeC:\Windows\system32\Ehifak32.exe67⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe68⤵PID:1684
-
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe69⤵PID:4972
-
C:\Windows\SysWOW64\Gedfblql.exeC:\Windows\system32\Gedfblql.exe70⤵PID:4872
-
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe71⤵PID:5068
-
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe72⤵PID:3352
-
C:\Windows\SysWOW64\Hodqlq32.exeC:\Windows\system32\Hodqlq32.exe73⤵PID:4076
-
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe74⤵PID:4652
-
C:\Windows\SysWOW64\Hqjcgbbo.exeC:\Windows\system32\Hqjcgbbo.exe75⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe76⤵PID:4552
-
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe77⤵PID:5136
-
C:\Windows\SysWOW64\Jokpcmmj.exeC:\Windows\system32\Jokpcmmj.exe78⤵PID:5180
-
C:\Windows\SysWOW64\Kimgba32.exeC:\Windows\system32\Kimgba32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe80⤵PID:5268
-
C:\Windows\SysWOW64\Libido32.exeC:\Windows\system32\Libido32.exe81⤵PID:5300
-
C:\Windows\SysWOW64\Ldgnbg32.exeC:\Windows\system32\Ldgnbg32.exe82⤵PID:5348
-
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe83⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Mhhcne32.exeC:\Windows\system32\Mhhcne32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Mpedgghj.exeC:\Windows\system32\Mpedgghj.exe85⤵PID:5484
-
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe86⤵PID:5528
-
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe87⤵PID:5572
-
C:\Windows\SysWOW64\Nalgbi32.exeC:\Windows\system32\Nalgbi32.exe88⤵PID:5664
-
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe89⤵PID:5728
-
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe90⤵PID:5788
-
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe91⤵PID:5836
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Bhbahm32.exeC:\Windows\system32\Bhbahm32.exe94⤵PID:5984
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe95⤵PID:6044
-
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:6104 -
C:\Windows\SysWOW64\Bqdlmo32.exeC:\Windows\system32\Bqdlmo32.exe97⤵PID:5144
-
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe98⤵PID:5228
-
C:\Windows\SysWOW64\Cgcmeh32.exeC:\Windows\system32\Cgcmeh32.exe99⤵
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe100⤵PID:5308
-
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe101⤵PID:5424
-
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe102⤵PID:5492
-
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe103⤵PID:5556
-
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe104⤵PID:5700
-
C:\Windows\SysWOW64\Dhcfleff.exeC:\Windows\system32\Dhcfleff.exe105⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe106⤵PID:5872
-
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe107⤵PID:5936
-
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe108⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Eaqdpjia.exeC:\Windows\system32\Eaqdpjia.exe109⤵PID:6076
-
C:\Windows\SysWOW64\Ejkenpnp.exeC:\Windows\system32\Ejkenpnp.exe110⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Eimelg32.exeC:\Windows\system32\Eimelg32.exe111⤵PID:4724
-
C:\Windows\SysWOW64\Eoindndf.exeC:\Windows\system32\Eoindndf.exe112⤵PID:5400
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe113⤵PID:5996
-
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe114⤵PID:5620
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe116⤵
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe117⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe118⤵PID:1144
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe119⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5524 -
C:\Windows\SysWOW64\Hadcce32.exeC:\Windows\system32\Hadcce32.exe121⤵PID:5752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-