Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe
-
Size
80KB
-
MD5
1095cbe1f473bd1a7dd9802d349f3710
-
SHA1
04e50e19c4d3550804b2d4d01f28e5cb033c9201
-
SHA256
e2f804c46e7792500f99d96db23b72be7b83e7b243bbc3e6d5a2f82c9e3c5326
-
SHA512
a80d25d0907d72bb814a0b30f8100b514a312512cc376537028fad4b31da7724cbdf24ae6a2c4e8adc4f5b5f785b24f8ca873158ec94523978674e43b33675bd
-
SSDEEP
1536:9m8xr73jAFHLq8vDuWzr02LgS5DUHRbPa9b6i+sIk:lxr73ke8vDNNgS5DSCopsIk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghdaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclhpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpedeiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anclbkbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpapnfhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epffbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keimof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klndfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paihlpfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpeaoih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acccdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicedn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhblllfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpbecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afappe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeapcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poliea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmaamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe -
Executes dropped EXE 64 IoCs
pid Process 3532 Mgaokl32.exe 3644 Mjokgg32.exe 2988 Mmnhcb32.exe 4488 Meepdp32.exe 3204 Mkohaj32.exe 3640 Mnmdme32.exe 4348 Malpia32.exe 3508 Mgehfkop.exe 4128 Mnpabe32.exe 1268 Meiioonj.exe 1052 Nghekkmn.exe 3372 Njfagf32.exe 3468 Nmenca32.exe 3676 Ncofplba.exe 4804 Nlfnaicd.exe 864 Nndjndbh.exe 3888 Nabfjpak.exe 3080 Ncabfkqo.exe 1752 Nnfgcd32.exe 1036 Naecop32.exe 4224 Nhokljge.exe 1040 Njmhhefi.exe 4428 Nmlddqem.exe 1168 Neclenfo.exe 3304 Njpdnedf.exe 2184 Nmnqjp32.exe 4884 Odhifjkg.exe 3296 Oloahhki.exe 1616 Onnmdcjm.exe 4704 Omqmop32.exe 2076 Ohfami32.exe 1372 Ojdnid32.exe 1948 Onpjichj.exe 3544 Odmbaj32.exe 4188 Oldjcg32.exe 2956 Ojgjndno.exe 3756 Oaqbkn32.exe 4336 Oelolmnd.exe 4752 Olfghg32.exe 1776 Omgcpokp.exe 4064 Oeokal32.exe 2056 Olicnfco.exe 3256 Okkdic32.exe 2968 Paelfmaf.exe 1876 Phodcg32.exe 940 Pknqoc32.exe 3100 Pmlmkn32.exe 4600 Pecellgl.exe 3264 Phaahggp.exe 2256 Plmmif32.exe 3932 Poliea32.exe 5112 Pefabkej.exe 936 Pdhbmh32.exe 1152 Pkbjjbda.exe 1316 Pmaffnce.exe 4632 Pehngkcg.exe 4588 Pdkoch32.exe 2872 Plbfdekd.exe 1164 Pejkmk32.exe 1492 Pdmkhgho.exe 3552 Pldcjeia.exe 3420 Pkgcea32.exe 5132 Qaalblgi.exe 5172 Qdphngfl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nndjndbh.exe Nlfnaicd.exe File created C:\Windows\SysWOW64\Lciibdmj.dll Hoeieolb.exe File created C:\Windows\SysWOW64\Mgmqkimh.dll Bdlfjh32.exe File created C:\Windows\SysWOW64\Ejccgi32.exe Ekqckmfb.exe File opened for modification C:\Windows\SysWOW64\Fboecfii.exe Fjhmbihg.exe File created C:\Windows\SysWOW64\Qjfpkhpm.dll Ggccllai.exe File opened for modification C:\Windows\SysWOW64\Jmbhoeid.exe Jghpbk32.exe File opened for modification C:\Windows\SysWOW64\Cpljehpo.exe Cibain32.exe File created C:\Windows\SysWOW64\Celhnb32.dll Fcekfnkb.exe File created C:\Windows\SysWOW64\Qkhnbpne.dll Apodoq32.exe File opened for modification C:\Windows\SysWOW64\Bgelgi32.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Cggimh32.exe Bajqda32.exe File created C:\Windows\SysWOW64\Hjmgbm32.dll Gkcigjel.exe File created C:\Windows\SysWOW64\Cdbfab32.exe Cfpffeaj.exe File created C:\Windows\SysWOW64\Egbcih32.dll Iepaaico.exe File created C:\Windows\SysWOW64\Eleqaiga.dll Mfhbga32.exe File created C:\Windows\SysWOW64\Qfgllk32.dll Ibaeen32.exe File created C:\Windows\SysWOW64\Ocgkan32.exe Oqhoeb32.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File created C:\Windows\SysWOW64\Eppjfgcp.exe Emanjldl.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Knenkbio.exe File created C:\Windows\SysWOW64\Jencdebl.dll Lflbkcll.exe File created C:\Windows\SysWOW64\Afjpan32.dll Bphqji32.exe File created C:\Windows\SysWOW64\Cpljehpo.exe Cibain32.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Oldjcg32.exe File created C:\Windows\SysWOW64\Jocgnlha.dll Pkgcea32.exe File created C:\Windows\SysWOW64\Dfdpad32.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Amdcghbo.dll Jepjhg32.exe File created C:\Windows\SysWOW64\Ldjcfk32.dll Klcekpdo.exe File created C:\Windows\SysWOW64\Bpcaaeme.dll Ahmjjoig.exe File opened for modification C:\Windows\SysWOW64\Koonge32.exe Kheekkjl.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Eofgpikj.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Enlcahgh.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Pkbjjbda.exe File created C:\Windows\SysWOW64\Gejimf32.dll Oonlfo32.exe File created C:\Windows\SysWOW64\Ckidcpjl.exe Ccblbb32.exe File created C:\Windows\SysWOW64\Khfclo32.dll Chnbbqpn.exe File opened for modification C:\Windows\SysWOW64\Jmeede32.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Ibgdlg32.exe Iiopca32.exe File created C:\Windows\SysWOW64\Dphiaffa.exe Dinael32.exe File created C:\Windows\SysWOW64\Dnbakghm.exe Dkceokii.exe File opened for modification C:\Windows\SysWOW64\Enemaimp.exe Ekgqennl.exe File created C:\Windows\SysWOW64\Cfidbo32.dll Ibhkfm32.exe File created C:\Windows\SysWOW64\Cogddd32.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Biepfnpi.dll Iiopca32.exe File created C:\Windows\SysWOW64\Dodfed32.dll Eqkondfl.exe File created C:\Windows\SysWOW64\Nmenca32.exe Njfagf32.exe File created C:\Windows\SysWOW64\Gbfnjgdn.dll Ppgegd32.exe File opened for modification C:\Windows\SysWOW64\Akkffkhk.exe Ahmjjoig.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Aimogakj.exe Abcgjg32.exe File opened for modification C:\Windows\SysWOW64\Dnqcfjae.exe Dkbgjo32.exe File created C:\Windows\SysWOW64\Hhihhecc.dll Bnkbcj32.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Lgbloglj.exe File created C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File opened for modification C:\Windows\SysWOW64\Blielbfi.exe Bdbnjdfg.exe File created C:\Windows\SysWOW64\Ldklgegb.dll Fmkqpkla.exe File created C:\Windows\SysWOW64\Joahqn32.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Jemfhacc.exe Jppnpjel.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Oonlfo32.exe Omopjcjp.exe File created C:\Windows\SysWOW64\Dheibpje.exe Dfglfdkb.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Doaneiop.exe File created C:\Windows\SysWOW64\Lhenai32.exe Lakfeodm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16028 15952 WerFault.exe 802 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finnef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjbhmad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igajal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilphdlqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlmkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apodoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnjocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhodk32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" Dnbakghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoaojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccppmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkklm32.dll" Gjaphgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klndfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdlfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll" Nfihbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgjo32.dll" Fklcgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nabfjpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll" Dckoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll" Ekljpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll" Glhimp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chqogq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnacn32.dll" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedgjgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbgkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkcbcna.dll" Qfjjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bnoknihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhiemoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Binhnomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkfbcpb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 3532 3484 1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe 91 PID 3484 wrote to memory of 3532 3484 1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe 91 PID 3484 wrote to memory of 3532 3484 1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe 91 PID 3532 wrote to memory of 3644 3532 Mgaokl32.exe 92 PID 3532 wrote to memory of 3644 3532 Mgaokl32.exe 92 PID 3532 wrote to memory of 3644 3532 Mgaokl32.exe 92 PID 3644 wrote to memory of 2988 3644 Mjokgg32.exe 93 PID 3644 wrote to memory of 2988 3644 Mjokgg32.exe 93 PID 3644 wrote to memory of 2988 3644 Mjokgg32.exe 93 PID 2988 wrote to memory of 4488 2988 Mmnhcb32.exe 94 PID 2988 wrote to memory of 4488 2988 Mmnhcb32.exe 94 PID 2988 wrote to memory of 4488 2988 Mmnhcb32.exe 94 PID 4488 wrote to memory of 3204 4488 Meepdp32.exe 95 PID 4488 wrote to memory of 3204 4488 Meepdp32.exe 95 PID 4488 wrote to memory of 3204 4488 Meepdp32.exe 95 PID 3204 wrote to memory of 3640 3204 Mkohaj32.exe 96 PID 3204 wrote to memory of 3640 3204 Mkohaj32.exe 96 PID 3204 wrote to memory of 3640 3204 Mkohaj32.exe 96 PID 3640 wrote to memory of 4348 3640 Mnmdme32.exe 97 PID 3640 wrote to memory of 4348 3640 Mnmdme32.exe 97 PID 3640 wrote to memory of 4348 3640 Mnmdme32.exe 97 PID 4348 wrote to memory of 3508 4348 Malpia32.exe 98 PID 4348 wrote to memory of 3508 4348 Malpia32.exe 98 PID 4348 wrote to memory of 3508 4348 Malpia32.exe 98 PID 3508 wrote to memory of 4128 3508 Mgehfkop.exe 99 PID 3508 wrote to memory of 4128 3508 Mgehfkop.exe 99 PID 3508 wrote to memory of 4128 3508 Mgehfkop.exe 99 PID 4128 wrote to memory of 1268 4128 Mnpabe32.exe 100 PID 4128 wrote to memory of 1268 4128 Mnpabe32.exe 100 PID 4128 wrote to memory of 1268 4128 Mnpabe32.exe 100 PID 1268 wrote to memory of 1052 1268 Meiioonj.exe 101 PID 1268 wrote to memory of 1052 1268 Meiioonj.exe 101 PID 1268 wrote to memory of 1052 1268 Meiioonj.exe 101 PID 1052 wrote to memory of 3372 1052 Nghekkmn.exe 102 PID 1052 wrote to memory of 3372 1052 Nghekkmn.exe 102 PID 1052 wrote to memory of 3372 1052 Nghekkmn.exe 102 PID 3372 wrote to memory of 3468 3372 Njfagf32.exe 103 PID 3372 wrote to memory of 3468 3372 Njfagf32.exe 103 PID 3372 wrote to memory of 3468 3372 Njfagf32.exe 103 PID 3468 wrote to memory of 3676 3468 Nmenca32.exe 104 PID 3468 wrote to memory of 3676 3468 Nmenca32.exe 104 PID 3468 wrote to memory of 3676 3468 Nmenca32.exe 104 PID 3676 wrote to memory of 4804 3676 Ncofplba.exe 105 PID 3676 wrote to memory of 4804 3676 Ncofplba.exe 105 PID 3676 wrote to memory of 4804 3676 Ncofplba.exe 105 PID 4804 wrote to memory of 864 4804 Nlfnaicd.exe 106 PID 4804 wrote to memory of 864 4804 Nlfnaicd.exe 106 PID 4804 wrote to memory of 864 4804 Nlfnaicd.exe 106 PID 864 wrote to memory of 3888 864 Nndjndbh.exe 107 PID 864 wrote to memory of 3888 864 Nndjndbh.exe 107 PID 864 wrote to memory of 3888 864 Nndjndbh.exe 107 PID 3888 wrote to memory of 3080 3888 Nabfjpak.exe 108 PID 3888 wrote to memory of 3080 3888 Nabfjpak.exe 108 PID 3888 wrote to memory of 3080 3888 Nabfjpak.exe 108 PID 3080 wrote to memory of 1752 3080 Ncabfkqo.exe 109 PID 3080 wrote to memory of 1752 3080 Ncabfkqo.exe 109 PID 3080 wrote to memory of 1752 3080 Ncabfkqo.exe 109 PID 1752 wrote to memory of 1036 1752 Nnfgcd32.exe 110 PID 1752 wrote to memory of 1036 1752 Nnfgcd32.exe 110 PID 1752 wrote to memory of 1036 1752 Nnfgcd32.exe 110 PID 1036 wrote to memory of 4224 1036 Naecop32.exe 111 PID 1036 wrote to memory of 4224 1036 Naecop32.exe 111 PID 1036 wrote to memory of 4224 1036 Naecop32.exe 111 PID 4224 wrote to memory of 1040 4224 Nhokljge.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1095cbe1f473bd1a7dd9802d349f3710_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe23⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe24⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe25⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe26⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe27⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe28⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe29⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe30⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe31⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe32⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe33⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe35⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4188 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe37⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe38⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe39⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe40⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe41⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe42⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe43⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe44⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe45⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe47⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3100 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe49⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe50⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe53⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe54⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe56⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe57⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe58⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe59⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe61⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe62⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe64⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe65⤵
- Executes dropped EXE
PID:5172 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe66⤵PID:5240
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe67⤵PID:5284
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe68⤵PID:5328
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe69⤵PID:5380
-
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe70⤵PID:5420
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe71⤵PID:5452
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe72⤵PID:5500
-
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe73⤵PID:5536
-
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe74⤵PID:5576
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe75⤵PID:5616
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe76⤵PID:5664
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe77⤵PID:5700
-
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe78⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe79⤵PID:5784
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe80⤵PID:5824
-
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe81⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe84⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe85⤵PID:6040
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe87⤵PID:5128
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe88⤵PID:5208
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe89⤵PID:5312
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe90⤵PID:5460
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe91⤵PID:5524
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe92⤵PID:5588
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe93⤵PID:5656
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe94⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe95⤵PID:5820
-
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5936 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe98⤵PID:6052
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe99⤵PID:6108
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe100⤵PID:5204
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe101⤵PID:5356
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe102⤵
- Modifies registry class
PID:5508 -
C:\Windows\SysWOW64\Bdgged32.exeC:\Windows\system32\Bdgged32.exe103⤵PID:5624
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe104⤵PID:5712
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe105⤵PID:5856
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe106⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe107⤵PID:6100
-
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe108⤵PID:5260
-
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe109⤵PID:5404
-
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe110⤵PID:5628
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe111⤵PID:5812
-
C:\Windows\SysWOW64\Cdlqqcnl.exeC:\Windows\system32\Cdlqqcnl.exe112⤵PID:5992
-
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe113⤵PID:6132
-
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe114⤵PID:5564
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe115⤵PID:5832
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe116⤵PID:5264
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe117⤵PID:5680
-
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe118⤵PID:5948
-
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe119⤵PID:5804
-
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe120⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe121⤵PID:6188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-