Analysis
-
max time kernel
146s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe
-
Size
1020KB
-
MD5
4385e69f446ebc6fe93d84b3d2d9be20
-
SHA1
9fb863b7ab4d1d7f28beeed883cf020c9b2840ef
-
SHA256
7afdf1ad06d0c9014f8c9eb5ba0cd890390b2a312376e69b96e52166c0d1a1aa
-
SHA512
e6c90376af2fcb6f7cf3c6039a9039a476b312ed51776117f7abc0be2cc3e1563f966d786853b75f7bfe4e76de66b431b5283f5951632f918a05e4dcf1067fcc
-
SSDEEP
24576:1qylFH50Dv6RwyeQvt6ot0h9HyrOgiruAU3:IylFHUv6ReIt0jSrOQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Q5QUH.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TL698.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 566K0.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1GZVA.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 998J6.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 80M29.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Z7E44.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation FJ54A.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 47O9S.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1CAK6.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TSRB5.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GQI2V.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8P487.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 39X9O.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation M63R8.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 5U3V6.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2348J.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 94BA8.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0D22Z.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation H51P1.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 5B3L4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TE84Z.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XTPRW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation W870G.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6V3E6.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 3RFV1.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0ZMH3.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1X61L.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 9LS0R.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KC77Z.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation X1MEN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation B2CV9.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 15K9K.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8FMO4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation U9486.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WO427.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation JQ0Y2.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OF17M.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 38F42.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 21S16.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation B1Q9D.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XH6MP.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation DK7HF.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RS98M.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation R480G.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SQ1U0.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 29XO5.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation KVMJ3.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 70DO7.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation YK3D4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation J0K8U.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BD1ID.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 4936R.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 79I04.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation R4B0H.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 94N7H.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0QRRN.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2U5QR.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 72KEW.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8YO32.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 9Z15W.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation OM08Y.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AFAP1.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0O50Q.exe -
Executes dropped EXE 64 IoCs
pid Process 3592 QS16R.exe 1332 WBQO3.exe 4464 07E54.exe 4940 E3800.exe 4560 ED88N.exe 2856 4934I.exe 4892 BFE1K.exe 3756 KC77Z.exe 400 I5I1V.exe 2244 WU82T.exe 2012 SKCWE.exe 1424 80M29.exe 1904 T0V50.exe 2564 3H05T.exe 1444 NMLEI.exe 3680 YTSJH.exe 4068 58799.exe 3428 70DO7.exe 2144 PQ792.exe 4632 3317C.exe 536 8T6C6.exe 4728 67U56.exe 400 0CWA3.exe 744 8YO32.exe 1464 4J8TQ.exe 4348 SP367.exe 2240 CQ8N2.exe 1036 EIX74.exe 1028 67NVG.exe 1860 O03CO.exe 516 9M68D.exe 4580 CO1WA.exe 4892 H3I44.exe 1320 15K5M.exe 2360 0D22Z.exe 2856 B78S0.exe 4984 3RFV1.exe 2024 H51P1.exe 5000 3W792.exe 4352 1PA70.exe 3320 668DD.exe 4036 BBJ9S.exe 3216 GI3S1.exe 4628 K3FJ5.exe 1912 9Z15W.exe 3580 V1399.exe 3460 47537.exe 2140 69708.exe 1264 028S4.exe 1660 676A3.exe 1272 05X59.exe 752 23V28.exe 4988 39X9O.exe 3732 887H9.exe 4752 300H4.exe 2580 566K0.exe 4084 A992L.exe 2200 21PUD.exe 1776 9NJ0E.exe 2284 8719P.exe 2860 5KJGA.exe 4560 Z7E44.exe 612 34T39.exe 2140 0QRRN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2752 4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe 2752 4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe 3592 QS16R.exe 3592 QS16R.exe 1332 WBQO3.exe 1332 WBQO3.exe 4464 07E54.exe 4464 07E54.exe 4940 E3800.exe 4940 E3800.exe 4560 ED88N.exe 4560 ED88N.exe 2856 4934I.exe 2856 4934I.exe 4892 BFE1K.exe 4892 BFE1K.exe 3756 KC77Z.exe 3756 KC77Z.exe 400 I5I1V.exe 400 I5I1V.exe 2244 WU82T.exe 2244 WU82T.exe 2012 SKCWE.exe 2012 SKCWE.exe 1424 80M29.exe 1424 80M29.exe 1904 T0V50.exe 1904 T0V50.exe 2564 3H05T.exe 2564 3H05T.exe 1444 NMLEI.exe 1444 NMLEI.exe 3680 YTSJH.exe 3680 YTSJH.exe 4068 58799.exe 4068 58799.exe 3428 70DO7.exe 3428 70DO7.exe 2144 PQ792.exe 2144 PQ792.exe 4632 3317C.exe 4632 3317C.exe 536 8T6C6.exe 536 8T6C6.exe 4728 67U56.exe 4728 67U56.exe 400 0CWA3.exe 400 0CWA3.exe 744 8YO32.exe 744 8YO32.exe 1464 4J8TQ.exe 1464 4J8TQ.exe 4348 SP367.exe 4348 SP367.exe 2240 CQ8N2.exe 2240 CQ8N2.exe 1036 EIX74.exe 1036 EIX74.exe 1028 67NVG.exe 1028 67NVG.exe 1860 O03CO.exe 1860 O03CO.exe 516 9M68D.exe 516 9M68D.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2752 wrote to memory of 3592 2752 4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe 83 PID 2752 wrote to memory of 3592 2752 4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe 83 PID 2752 wrote to memory of 3592 2752 4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe 83 PID 3592 wrote to memory of 1332 3592 QS16R.exe 84 PID 3592 wrote to memory of 1332 3592 QS16R.exe 84 PID 3592 wrote to memory of 1332 3592 QS16R.exe 84 PID 1332 wrote to memory of 4464 1332 WBQO3.exe 85 PID 1332 wrote to memory of 4464 1332 WBQO3.exe 85 PID 1332 wrote to memory of 4464 1332 WBQO3.exe 85 PID 4464 wrote to memory of 4940 4464 07E54.exe 87 PID 4464 wrote to memory of 4940 4464 07E54.exe 87 PID 4464 wrote to memory of 4940 4464 07E54.exe 87 PID 4940 wrote to memory of 4560 4940 E3800.exe 89 PID 4940 wrote to memory of 4560 4940 E3800.exe 89 PID 4940 wrote to memory of 4560 4940 E3800.exe 89 PID 4560 wrote to memory of 2856 4560 ED88N.exe 90 PID 4560 wrote to memory of 2856 4560 ED88N.exe 90 PID 4560 wrote to memory of 2856 4560 ED88N.exe 90 PID 2856 wrote to memory of 4892 2856 4934I.exe 91 PID 2856 wrote to memory of 4892 2856 4934I.exe 91 PID 2856 wrote to memory of 4892 2856 4934I.exe 91 PID 4892 wrote to memory of 3756 4892 BFE1K.exe 94 PID 4892 wrote to memory of 3756 4892 BFE1K.exe 94 PID 4892 wrote to memory of 3756 4892 BFE1K.exe 94 PID 3756 wrote to memory of 400 3756 KC77Z.exe 95 PID 3756 wrote to memory of 400 3756 KC77Z.exe 95 PID 3756 wrote to memory of 400 3756 KC77Z.exe 95 PID 400 wrote to memory of 2244 400 I5I1V.exe 96 PID 400 wrote to memory of 2244 400 I5I1V.exe 96 PID 400 wrote to memory of 2244 400 I5I1V.exe 96 PID 2244 wrote to memory of 2012 2244 WU82T.exe 97 PID 2244 wrote to memory of 2012 2244 WU82T.exe 97 PID 2244 wrote to memory of 2012 2244 WU82T.exe 97 PID 2012 wrote to memory of 1424 2012 SKCWE.exe 100 PID 2012 wrote to memory of 1424 2012 SKCWE.exe 100 PID 2012 wrote to memory of 1424 2012 SKCWE.exe 100 PID 1424 wrote to memory of 1904 1424 80M29.exe 101 PID 1424 wrote to memory of 1904 1424 80M29.exe 101 PID 1424 wrote to memory of 1904 1424 80M29.exe 101 PID 1904 wrote to memory of 2564 1904 T0V50.exe 102 PID 1904 wrote to memory of 2564 1904 T0V50.exe 102 PID 1904 wrote to memory of 2564 1904 T0V50.exe 102 PID 2564 wrote to memory of 1444 2564 3H05T.exe 103 PID 2564 wrote to memory of 1444 2564 3H05T.exe 103 PID 2564 wrote to memory of 1444 2564 3H05T.exe 103 PID 1444 wrote to memory of 3680 1444 NMLEI.exe 104 PID 1444 wrote to memory of 3680 1444 NMLEI.exe 104 PID 1444 wrote to memory of 3680 1444 NMLEI.exe 104 PID 3680 wrote to memory of 4068 3680 YTSJH.exe 105 PID 3680 wrote to memory of 4068 3680 YTSJH.exe 105 PID 3680 wrote to memory of 4068 3680 YTSJH.exe 105 PID 4068 wrote to memory of 3428 4068 58799.exe 106 PID 4068 wrote to memory of 3428 4068 58799.exe 106 PID 4068 wrote to memory of 3428 4068 58799.exe 106 PID 3428 wrote to memory of 2144 3428 70DO7.exe 107 PID 3428 wrote to memory of 2144 3428 70DO7.exe 107 PID 3428 wrote to memory of 2144 3428 70DO7.exe 107 PID 2144 wrote to memory of 4632 2144 PQ792.exe 110 PID 2144 wrote to memory of 4632 2144 PQ792.exe 110 PID 2144 wrote to memory of 4632 2144 PQ792.exe 110 PID 4632 wrote to memory of 536 4632 3317C.exe 127 PID 4632 wrote to memory of 536 4632 3317C.exe 127 PID 4632 wrote to memory of 536 4632 3317C.exe 127 PID 536 wrote to memory of 4728 536 8T6C6.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4385e69f446ebc6fe93d84b3d2d9be20_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\QS16R.exe"C:\Users\Admin\AppData\Local\Temp\QS16R.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\WBQO3.exe"C:\Users\Admin\AppData\Local\Temp\WBQO3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\07E54.exe"C:\Users\Admin\AppData\Local\Temp\07E54.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\E3800.exe"C:\Users\Admin\AppData\Local\Temp\E3800.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\ED88N.exe"C:\Users\Admin\AppData\Local\Temp\ED88N.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\4934I.exe"C:\Users\Admin\AppData\Local\Temp\4934I.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\BFE1K.exe"C:\Users\Admin\AppData\Local\Temp\BFE1K.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\KC77Z.exe"C:\Users\Admin\AppData\Local\Temp\KC77Z.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\I5I1V.exe"C:\Users\Admin\AppData\Local\Temp\I5I1V.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\WU82T.exe"C:\Users\Admin\AppData\Local\Temp\WU82T.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\SKCWE.exe"C:\Users\Admin\AppData\Local\Temp\SKCWE.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\80M29.exe"C:\Users\Admin\AppData\Local\Temp\80M29.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\T0V50.exe"C:\Users\Admin\AppData\Local\Temp\T0V50.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\3H05T.exe"C:\Users\Admin\AppData\Local\Temp\3H05T.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\NMLEI.exe"C:\Users\Admin\AppData\Local\Temp\NMLEI.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\YTSJH.exe"C:\Users\Admin\AppData\Local\Temp\YTSJH.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\58799.exe"C:\Users\Admin\AppData\Local\Temp\58799.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\70DO7.exe"C:\Users\Admin\AppData\Local\Temp\70DO7.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\PQ792.exe"C:\Users\Admin\AppData\Local\Temp\PQ792.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\3317C.exe"C:\Users\Admin\AppData\Local\Temp\3317C.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\8T6C6.exe"C:\Users\Admin\AppData\Local\Temp\8T6C6.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\67U56.exe"C:\Users\Admin\AppData\Local\Temp\67U56.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\0CWA3.exe"C:\Users\Admin\AppData\Local\Temp\0CWA3.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400 -
C:\Users\Admin\AppData\Local\Temp\8YO32.exe"C:\Users\Admin\AppData\Local\Temp\8YO32.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Users\Admin\AppData\Local\Temp\4J8TQ.exe"C:\Users\Admin\AppData\Local\Temp\4J8TQ.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\SP367.exe"C:\Users\Admin\AppData\Local\Temp\SP367.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\CQ8N2.exe"C:\Users\Admin\AppData\Local\Temp\CQ8N2.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\EIX74.exe"C:\Users\Admin\AppData\Local\Temp\EIX74.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\67NVG.exe"C:\Users\Admin\AppData\Local\Temp\67NVG.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\O03CO.exe"C:\Users\Admin\AppData\Local\Temp\O03CO.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\9M68D.exe"C:\Users\Admin\AppData\Local\Temp\9M68D.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:516 -
C:\Users\Admin\AppData\Local\Temp\CO1WA.exe"C:\Users\Admin\AppData\Local\Temp\CO1WA.exe"33⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\H3I44.exe"C:\Users\Admin\AppData\Local\Temp\H3I44.exe"34⤵
- Executes dropped EXE
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\15K5M.exe"C:\Users\Admin\AppData\Local\Temp\15K5M.exe"35⤵
- Executes dropped EXE
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\0D22Z.exe"C:\Users\Admin\AppData\Local\Temp\0D22Z.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\B78S0.exe"C:\Users\Admin\AppData\Local\Temp\B78S0.exe"37⤵
- Executes dropped EXE
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\3RFV1.exe"C:\Users\Admin\AppData\Local\Temp\3RFV1.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\H51P1.exe"C:\Users\Admin\AppData\Local\Temp\H51P1.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\3W792.exe"C:\Users\Admin\AppData\Local\Temp\3W792.exe"40⤵
- Executes dropped EXE
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\1PA70.exe"C:\Users\Admin\AppData\Local\Temp\1PA70.exe"41⤵
- Executes dropped EXE
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\668DD.exe"C:\Users\Admin\AppData\Local\Temp\668DD.exe"42⤵
- Executes dropped EXE
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\BBJ9S.exe"C:\Users\Admin\AppData\Local\Temp\BBJ9S.exe"43⤵
- Executes dropped EXE
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\GI3S1.exe"C:\Users\Admin\AppData\Local\Temp\GI3S1.exe"44⤵
- Executes dropped EXE
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\K3FJ5.exe"C:\Users\Admin\AppData\Local\Temp\K3FJ5.exe"45⤵
- Executes dropped EXE
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\9Z15W.exe"C:\Users\Admin\AppData\Local\Temp\9Z15W.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\V1399.exe"C:\Users\Admin\AppData\Local\Temp\V1399.exe"47⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\47537.exe"C:\Users\Admin\AppData\Local\Temp\47537.exe"48⤵
- Executes dropped EXE
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\69708.exe"C:\Users\Admin\AppData\Local\Temp\69708.exe"49⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\028S4.exe"C:\Users\Admin\AppData\Local\Temp\028S4.exe"50⤵
- Executes dropped EXE
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\676A3.exe"C:\Users\Admin\AppData\Local\Temp\676A3.exe"51⤵
- Executes dropped EXE
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\05X59.exe"C:\Users\Admin\AppData\Local\Temp\05X59.exe"52⤵
- Executes dropped EXE
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\23V28.exe"C:\Users\Admin\AppData\Local\Temp\23V28.exe"53⤵
- Executes dropped EXE
PID:752 -
C:\Users\Admin\AppData\Local\Temp\39X9O.exe"C:\Users\Admin\AppData\Local\Temp\39X9O.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\887H9.exe"C:\Users\Admin\AppData\Local\Temp\887H9.exe"55⤵
- Executes dropped EXE
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\300H4.exe"C:\Users\Admin\AppData\Local\Temp\300H4.exe"56⤵
- Executes dropped EXE
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\305Q3.exe"C:\Users\Admin\AppData\Local\Temp\305Q3.exe"57⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\566K0.exe"C:\Users\Admin\AppData\Local\Temp\566K0.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\A992L.exe"C:\Users\Admin\AppData\Local\Temp\A992L.exe"59⤵
- Executes dropped EXE
PID:4084 -
C:\Users\Admin\AppData\Local\Temp\21PUD.exe"C:\Users\Admin\AppData\Local\Temp\21PUD.exe"60⤵
- Executes dropped EXE
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\9NJ0E.exe"C:\Users\Admin\AppData\Local\Temp\9NJ0E.exe"61⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\8719P.exe"C:\Users\Admin\AppData\Local\Temp\8719P.exe"62⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\5KJGA.exe"C:\Users\Admin\AppData\Local\Temp\5KJGA.exe"63⤵
- Executes dropped EXE
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\Z7E44.exe"C:\Users\Admin\AppData\Local\Temp\Z7E44.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\34T39.exe"C:\Users\Admin\AppData\Local\Temp\34T39.exe"65⤵
- Executes dropped EXE
PID:612 -
C:\Users\Admin\AppData\Local\Temp\0QRRN.exe"C:\Users\Admin\AppData\Local\Temp\0QRRN.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\998J6.exe"C:\Users\Admin\AppData\Local\Temp\998J6.exe"67⤵
- Checks computer location settings
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\3WH6B.exe"C:\Users\Admin\AppData\Local\Temp\3WH6B.exe"68⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\Z7Y70.exe"C:\Users\Admin\AppData\Local\Temp\Z7Y70.exe"69⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\S9KIJ.exe"C:\Users\Admin\AppData\Local\Temp\S9KIJ.exe"70⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\59T29.exe"C:\Users\Admin\AppData\Local\Temp\59T29.exe"71⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\7Q2MY.exe"C:\Users\Admin\AppData\Local\Temp\7Q2MY.exe"72⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\WG4WS.exe"C:\Users\Admin\AppData\Local\Temp\WG4WS.exe"73⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\X833S.exe"C:\Users\Admin\AppData\Local\Temp\X833S.exe"74⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\1WJ38.exe"C:\Users\Admin\AppData\Local\Temp\1WJ38.exe"75⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\19G0G.exe"C:\Users\Admin\AppData\Local\Temp\19G0G.exe"76⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\WBO7G.exe"C:\Users\Admin\AppData\Local\Temp\WBO7G.exe"77⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\7158V.exe"C:\Users\Admin\AppData\Local\Temp\7158V.exe"78⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\M63R8.exe"C:\Users\Admin\AppData\Local\Temp\M63R8.exe"79⤵
- Checks computer location settings
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\OM08Y.exe"C:\Users\Admin\AppData\Local\Temp\OM08Y.exe"80⤵
- Checks computer location settings
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\N9PM7.exe"C:\Users\Admin\AppData\Local\Temp\N9PM7.exe"81⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\7667J.exe"C:\Users\Admin\AppData\Local\Temp\7667J.exe"82⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\ZG7UB.exe"C:\Users\Admin\AppData\Local\Temp\ZG7UB.exe"83⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\DDR64.exe"C:\Users\Admin\AppData\Local\Temp\DDR64.exe"84⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\EJ81F.exe"C:\Users\Admin\AppData\Local\Temp\EJ81F.exe"85⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\8ERS9.exe"C:\Users\Admin\AppData\Local\Temp\8ERS9.exe"86⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\R4B0H.exe"C:\Users\Admin\AppData\Local\Temp\R4B0H.exe"87⤵
- Checks computer location settings
PID:640 -
C:\Users\Admin\AppData\Local\Temp\0ZMH3.exe"C:\Users\Admin\AppData\Local\Temp\0ZMH3.exe"88⤵
- Checks computer location settings
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\657F8.exe"C:\Users\Admin\AppData\Local\Temp\657F8.exe"89⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\TFP84.exe"C:\Users\Admin\AppData\Local\Temp\TFP84.exe"90⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\WJZR6.exe"C:\Users\Admin\AppData\Local\Temp\WJZR6.exe"91⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\26001.exe"C:\Users\Admin\AppData\Local\Temp\26001.exe"92⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\LIJ50.exe"C:\Users\Admin\AppData\Local\Temp\LIJ50.exe"93⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\69466.exe"C:\Users\Admin\AppData\Local\Temp\69466.exe"94⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\63VXN.exe"C:\Users\Admin\AppData\Local\Temp\63VXN.exe"95⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\72536.exe"C:\Users\Admin\AppData\Local\Temp\72536.exe"96⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\BL6D8.exe"C:\Users\Admin\AppData\Local\Temp\BL6D8.exe"97⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\U20IE.exe"C:\Users\Admin\AppData\Local\Temp\U20IE.exe"98⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\943QI.exe"C:\Users\Admin\AppData\Local\Temp\943QI.exe"99⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\1NLNW.exe"C:\Users\Admin\AppData\Local\Temp\1NLNW.exe"100⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\LC8UB.exe"C:\Users\Admin\AppData\Local\Temp\LC8UB.exe"101⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\7TT7A.exe"C:\Users\Admin\AppData\Local\Temp\7TT7A.exe"102⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\8C817.exe"C:\Users\Admin\AppData\Local\Temp\8C817.exe"103⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\E5QP7.exe"C:\Users\Admin\AppData\Local\Temp\E5QP7.exe"104⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\37HFT.exe"C:\Users\Admin\AppData\Local\Temp\37HFT.exe"105⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\53P44.exe"C:\Users\Admin\AppData\Local\Temp\53P44.exe"106⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\W870G.exe"C:\Users\Admin\AppData\Local\Temp\W870G.exe"107⤵
- Checks computer location settings
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\SFL41.exe"C:\Users\Admin\AppData\Local\Temp\SFL41.exe"108⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\79E1K.exe"C:\Users\Admin\AppData\Local\Temp\79E1K.exe"109⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\90030.exe"C:\Users\Admin\AppData\Local\Temp\90030.exe"110⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\6V9I5.exe"C:\Users\Admin\AppData\Local\Temp\6V9I5.exe"111⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\0D34S.exe"C:\Users\Admin\AppData\Local\Temp\0D34S.exe"112⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\WU8NQ.exe"C:\Users\Admin\AppData\Local\Temp\WU8NQ.exe"113⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\8DW49.exe"C:\Users\Admin\AppData\Local\Temp\8DW49.exe"114⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\CM7MO.exe"C:\Users\Admin\AppData\Local\Temp\CM7MO.exe"115⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\88G0E.exe"C:\Users\Admin\AppData\Local\Temp\88G0E.exe"116⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\YK3D4.exe"C:\Users\Admin\AppData\Local\Temp\YK3D4.exe"117⤵
- Checks computer location settings
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\L2BQ2.exe"C:\Users\Admin\AppData\Local\Temp\L2BQ2.exe"118⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\0FM0N.exe"C:\Users\Admin\AppData\Local\Temp\0FM0N.exe"119⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\1CAK6.exe"C:\Users\Admin\AppData\Local\Temp\1CAK6.exe"120⤵
- Checks computer location settings
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\2C1R1.exe"C:\Users\Admin\AppData\Local\Temp\2C1R1.exe"121⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\TSRB5.exe"C:\Users\Admin\AppData\Local\Temp\TSRB5.exe"122⤵
- Checks computer location settings
PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-