Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 10:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe
-
Size
320KB
-
MD5
d6c871350b1afee8a779175ee549d880
-
SHA1
ab5451ce422b786d40c10c938f0b1f519f6620a9
-
SHA256
39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20
-
SHA512
5f6b52abb463d6e0c960ca2c14dec76b493cf3234915c6a484d581e60f2f2096ec2a27d648a1349d8d1db814813728cb5aa5f8e84f234b773e2ea6e0388bef50
-
SSDEEP
3072:GAhEC05jyaJR7F86ewS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:fhEC0ZtNleV/Ah1G/AcQ///NR5fn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhldbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdkcnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafkld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjgfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbcfbjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomffaag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acccdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnjdpaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfidb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbgeqmjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niojoeel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmmqheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnfbcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfkmphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfmkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lakfeodm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoknihb.exe -
Executes dropped EXE 64 IoCs
pid Process 1328 Mgaokl32.exe 3864 Maiccajf.exe 1480 Mgclpkac.exe 5048 Mkohaj32.exe 2384 Mjahlgpf.exe 3668 Mmpdhboj.exe 3204 Malpia32.exe 4640 Megljppl.exe 700 Mcjmel32.exe 4064 Mgehfkop.exe 2248 Mjdebfnd.exe 4128 Mnpabe32.exe 3984 Mmbanbmg.exe 3928 Manmoq32.exe 4616 Nclikl32.exe 3468 Nghekkmn.exe 1964 Njfagf32.exe 3812 Nnbnhedj.exe 1948 Nmenca32.exe 4596 Nelfeo32.exe 4188 Ncofplba.exe 3400 Ngjbaj32.exe 3164 Njinmf32.exe 1284 Nndjndbh.exe 5072 Nmgjia32.exe 3088 Nabfjpak.exe 2808 Nenbjo32.exe 1148 Ncabfkqo.exe 2280 Nhmofj32.exe 3020 Njkkbehl.exe 1776 Nnfgcd32.exe 3752 Nmigoagp.exe 2632 Neqopnhb.exe 2884 Nccokk32.exe 4704 Nlkgmh32.exe 5040 Njmhhefi.exe 2720 Nnicid32.exe 4860 Nagpeo32.exe 3956 Neclenfo.exe 4892 Nhahaiec.exe 2876 Nlmdbh32.exe 4964 Najmjokc.exe 4144 Odhifjkg.exe 772 Ohcegi32.exe 3600 Ojbacd32.exe 1852 Onnmdcjm.exe 4756 Omqmop32.exe 4244 Oeheqm32.exe 2796 Odjeljhd.exe 220 Olanmgig.exe 3080 Ojdnid32.exe 4692 Omcjep32.exe 4440 Oanfen32.exe 5124 Oejbfmpg.exe 5164 Ohhnbhok.exe 5196 Oldjcg32.exe 5236 Ojgjndno.exe 5268 Oobfob32.exe 5308 Omegjomb.exe 5340 Oelolmnd.exe 5376 Odoogi32.exe 5416 Ohkkhhmh.exe 5448 Ojigdcll.exe 5488 Oodcdb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nmigoagp.exe Nnfgcd32.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Hnibokbd.exe Hlkfbocp.exe File created C:\Windows\SysWOW64\Mldjbclh.dll Hlblcn32.exe File opened for modification C:\Windows\SysWOW64\Pdmkhgho.exe Paoollik.exe File created C:\Windows\SysWOW64\Mgbefe32.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Omcjep32.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Bcghdkpf.dll Impliekg.exe File created C:\Windows\SysWOW64\Kpkbnj32.dll Mjjkaabc.exe File created C:\Windows\SysWOW64\Icpjna32.dll Caqpkjcl.exe File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Bdbnjdfg.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Ogekbb32.exe Ompfej32.exe File created C:\Windows\SysWOW64\Eqlfhjig.exe Enmjlojd.exe File created C:\Windows\SysWOW64\Ojigdcll.exe Ohkkhhmh.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Kgflcifg.exe File opened for modification C:\Windows\SysWOW64\Kjjbjd32.exe Kfnfjehl.exe File created C:\Windows\SysWOW64\Agimkk32.exe Amqhbe32.exe File created C:\Windows\SysWOW64\Qcnjijoe.exe Qiiflaoo.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cigkdmel.exe File opened for modification C:\Windows\SysWOW64\Mjdebfnd.exe Mgehfkop.exe File created C:\Windows\SysWOW64\Gnnccl32.exe Fkofga32.exe File created C:\Windows\SysWOW64\Eoideh32.exe Ekmhejao.exe File opened for modification C:\Windows\SysWOW64\Efgemb32.exe Eblimcdf.exe File created C:\Windows\SysWOW64\Galdglpd.dll Gnepna32.exe File opened for modification C:\Windows\SysWOW64\Moipoh32.exe Mmkdcm32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Bgpcliao.exe Bpfkpp32.exe File opened for modification C:\Windows\SysWOW64\Feqeog32.exe Fnfmbmbi.exe File created C:\Windows\SysWOW64\Bbhildae.exe Bpjmph32.exe File created C:\Windows\SysWOW64\Fnipgg32.dll 39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Kajefoog.dll Pjjfdfbb.exe File opened for modification C:\Windows\SysWOW64\Ffceip32.exe Fnlmhc32.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Lokdnjkg.exe File created C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File opened for modification C:\Windows\SysWOW64\Hlmchoan.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Bmbnnn32.exe Afhfaddk.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mnjqmpgg.exe File opened for modification C:\Windows\SysWOW64\Opeiadfg.exe Ojhpimhp.exe File opened for modification C:\Windows\SysWOW64\Ppgegd32.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Kpccmhdg.exe Kiikpnmj.exe File opened for modification C:\Windows\SysWOW64\Ocnabm32.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Ebdcld32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Mhldbh32.exe Mpapnfhg.exe File opened for modification C:\Windows\SysWOW64\Ojemig32.exe Oqmhqapg.exe File created C:\Windows\SysWOW64\Ikgbdnie.dll Iojbpo32.exe File opened for modification C:\Windows\SysWOW64\Doagjc32.exe Dhgonidg.exe File created C:\Windows\SysWOW64\Nmhijd32.exe Nfnamjhk.exe File opened for modification C:\Windows\SysWOW64\Dbnmke32.exe Dkceokii.exe File created C:\Windows\SysWOW64\Llcghg32.exe Lckboblp.exe File created C:\Windows\SysWOW64\Iponmakp.dll Bagmdllg.exe File created C:\Windows\SysWOW64\Ccdihbgg.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Npdopj32.dll Ioolkncg.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Iikmbh32.exe File opened for modification C:\Windows\SysWOW64\Pdhbmh32.exe Pajeam32.exe File created C:\Windows\SysWOW64\Gihgfk32.exe Gfjkjo32.exe File created C:\Windows\SysWOW64\Dckahb32.dll Komhll32.exe File opened for modification C:\Windows\SysWOW64\Kedlip32.exe Jllhpkfk.exe File opened for modification C:\Windows\SysWOW64\Nfnamjhk.exe Nodiqp32.exe File opened for modification C:\Windows\SysWOW64\Oacoqnci.exe Oodcdb32.exe File created C:\Windows\SysWOW64\Aafemk32.exe Qlimed32.exe File opened for modification C:\Windows\SysWOW64\Gifkpknp.exe Gejopl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13780 13704 WerFault.exe 672 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" Mfnoqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefphb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" Gehbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oanfen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Iohejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkqhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll" Dcffnbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll" Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajohfcpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afockelf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiildio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhdagb.dll" Hblkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngkqbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhnbhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll" Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paoinm32.dll" Fnfmbmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahokfag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbnnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddipic32.dll" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipfmggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Danihi32.dll" Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlcgfff.dll" Oobfob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jljbeali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idllbp32.dll" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbblcj32.dll" Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafpga32.dll" Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdolgfbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnjqmpgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1328 1584 39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe 93 PID 1584 wrote to memory of 1328 1584 39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe 93 PID 1584 wrote to memory of 1328 1584 39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe 93 PID 1328 wrote to memory of 3864 1328 Mgaokl32.exe 94 PID 1328 wrote to memory of 3864 1328 Mgaokl32.exe 94 PID 1328 wrote to memory of 3864 1328 Mgaokl32.exe 94 PID 3864 wrote to memory of 1480 3864 Maiccajf.exe 95 PID 3864 wrote to memory of 1480 3864 Maiccajf.exe 95 PID 3864 wrote to memory of 1480 3864 Maiccajf.exe 95 PID 1480 wrote to memory of 5048 1480 Mgclpkac.exe 96 PID 1480 wrote to memory of 5048 1480 Mgclpkac.exe 96 PID 1480 wrote to memory of 5048 1480 Mgclpkac.exe 96 PID 5048 wrote to memory of 2384 5048 Mkohaj32.exe 97 PID 5048 wrote to memory of 2384 5048 Mkohaj32.exe 97 PID 5048 wrote to memory of 2384 5048 Mkohaj32.exe 97 PID 2384 wrote to memory of 3668 2384 Mjahlgpf.exe 98 PID 2384 wrote to memory of 3668 2384 Mjahlgpf.exe 98 PID 2384 wrote to memory of 3668 2384 Mjahlgpf.exe 98 PID 3668 wrote to memory of 3204 3668 Mmpdhboj.exe 99 PID 3668 wrote to memory of 3204 3668 Mmpdhboj.exe 99 PID 3668 wrote to memory of 3204 3668 Mmpdhboj.exe 99 PID 3204 wrote to memory of 4640 3204 Malpia32.exe 100 PID 3204 wrote to memory of 4640 3204 Malpia32.exe 100 PID 3204 wrote to memory of 4640 3204 Malpia32.exe 100 PID 4640 wrote to memory of 700 4640 Megljppl.exe 101 PID 4640 wrote to memory of 700 4640 Megljppl.exe 101 PID 4640 wrote to memory of 700 4640 Megljppl.exe 101 PID 700 wrote to memory of 4064 700 Mcjmel32.exe 102 PID 700 wrote to memory of 4064 700 Mcjmel32.exe 102 PID 700 wrote to memory of 4064 700 Mcjmel32.exe 102 PID 4064 wrote to memory of 2248 4064 Mgehfkop.exe 103 PID 4064 wrote to memory of 2248 4064 Mgehfkop.exe 103 PID 4064 wrote to memory of 2248 4064 Mgehfkop.exe 103 PID 2248 wrote to memory of 4128 2248 Mjdebfnd.exe 104 PID 2248 wrote to memory of 4128 2248 Mjdebfnd.exe 104 PID 2248 wrote to memory of 4128 2248 Mjdebfnd.exe 104 PID 4128 wrote to memory of 3984 4128 Mnpabe32.exe 105 PID 4128 wrote to memory of 3984 4128 Mnpabe32.exe 105 PID 4128 wrote to memory of 3984 4128 Mnpabe32.exe 105 PID 3984 wrote to memory of 3928 3984 Mmbanbmg.exe 106 PID 3984 wrote to memory of 3928 3984 Mmbanbmg.exe 106 PID 3984 wrote to memory of 3928 3984 Mmbanbmg.exe 106 PID 3928 wrote to memory of 4616 3928 Manmoq32.exe 107 PID 3928 wrote to memory of 4616 3928 Manmoq32.exe 107 PID 3928 wrote to memory of 4616 3928 Manmoq32.exe 107 PID 4616 wrote to memory of 3468 4616 Nclikl32.exe 108 PID 4616 wrote to memory of 3468 4616 Nclikl32.exe 108 PID 4616 wrote to memory of 3468 4616 Nclikl32.exe 108 PID 3468 wrote to memory of 1964 3468 Nghekkmn.exe 109 PID 3468 wrote to memory of 1964 3468 Nghekkmn.exe 109 PID 3468 wrote to memory of 1964 3468 Nghekkmn.exe 109 PID 1964 wrote to memory of 3812 1964 Njfagf32.exe 110 PID 1964 wrote to memory of 3812 1964 Njfagf32.exe 110 PID 1964 wrote to memory of 3812 1964 Njfagf32.exe 110 PID 3812 wrote to memory of 1948 3812 Nnbnhedj.exe 111 PID 3812 wrote to memory of 1948 3812 Nnbnhedj.exe 111 PID 3812 wrote to memory of 1948 3812 Nnbnhedj.exe 111 PID 1948 wrote to memory of 4596 1948 Nmenca32.exe 112 PID 1948 wrote to memory of 4596 1948 Nmenca32.exe 112 PID 1948 wrote to memory of 4596 1948 Nmenca32.exe 112 PID 4596 wrote to memory of 4188 4596 Nelfeo32.exe 113 PID 4596 wrote to memory of 4188 4596 Nelfeo32.exe 113 PID 4596 wrote to memory of 4188 4596 Nelfeo32.exe 113 PID 4188 wrote to memory of 3400 4188 Ncofplba.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\39ac721f11cb6a7838b7bd307c0a98ca16e12bb30686c7d5963cd5ef13768b20_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe23⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe24⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe25⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:5072 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe27⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe28⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe29⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe30⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe31⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe33⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe34⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe35⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe36⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe37⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe38⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe39⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Nhahaiec.exeC:\Windows\system32\Nhahaiec.exe41⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe42⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe43⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe44⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe46⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe48⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe49⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe51⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Omcjep32.exeC:\Windows\system32\Omcjep32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe55⤵
- Executes dropped EXE
PID:5124 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe57⤵
- Executes dropped EXE
PID:5196 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe58⤵
- Executes dropped EXE
PID:5236 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe60⤵
- Executes dropped EXE
PID:5308 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe62⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5416 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe66⤵PID:5524
-
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe67⤵PID:5560
-
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe68⤵
- Modifies registry class
PID:5616 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe69⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe70⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Pdhbmh32.exeC:\Windows\system32\Pdhbmh32.exe71⤵PID:5800
-
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe72⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe73⤵PID:5872
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe74⤵PID:5912
-
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5944 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe76⤵PID:5984
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe77⤵PID:6028
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe78⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe79⤵PID:2076
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe80⤵PID:5068
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe81⤵PID:3652
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe83⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Addaif32.exeC:\Windows\system32\Addaif32.exe84⤵PID:5148
-
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe85⤵PID:5228
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5300 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe87⤵PID:2440
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe88⤵PID:5404
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe89⤵PID:5444
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe90⤵PID:5496
-
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe91⤵PID:5624
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe92⤵PID:5628
-
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe93⤵PID:5788
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5668 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe95⤵PID:5692
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe96⤵PID:5972
-
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe98⤵
- Drops file in System32 directory
PID:388 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe99⤵PID:6048
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe100⤵PID:3460
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe101⤵PID:3952
-
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe102⤵PID:2176
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe103⤵PID:1040
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe104⤵PID:5280
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe105⤵PID:5400
-
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe107⤵PID:5708
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5956 -
C:\Windows\SysWOW64\Ckclhn32.exeC:\Windows\system32\Ckclhn32.exe110⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe111⤵PID:6060
-
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe112⤵PID:2320
-
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe113⤵PID:5172
-
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe114⤵PID:5568
-
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe115⤵PID:5336
-
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe116⤵PID:5856
-
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe117⤵PID:5776
-
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe118⤵PID:5896
-
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe119⤵PID:4896
-
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe120⤵PID:2908
-
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe121⤵PID:5316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-