Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe
-
Size
55KB
-
MD5
1f6c13f274f28d108dbb598da4965b00
-
SHA1
61a492c9b912abfe4e66c40b8ebb4b63e3bb3526
-
SHA256
0708e4ca6fb9b0462a7da004d3f63cee72c04f9a89cfe1834ed20ed609ed6849
-
SHA512
10a9b57f3bf7b912191f9056da0cdea9a608a3a20d400318415597afb48791a3d0da3312830c05f65f5b2d752d9926af1ad2b525a3ee9852c265ef1a3cea8a5c
-
SSDEEP
1536:FhXPXUuWstdORLwLnjJKNcroRSwidCYt6Z2LB:TXPXcOd0MLjoTSwidC9SB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlipfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlhoefk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphagha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmknkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhdnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biedhclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qecgcfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjjqhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgcmbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqlbqlmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobciblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieeihomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbijinfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjikoip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoadabi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlhpaji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chebcmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdjpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidamcgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjcfeola.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcccdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibpng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpamabg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geabbfoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcccdkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjoljqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgfmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjhpqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpfqiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccipelcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhman32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghfnioq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igghilhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjdqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficgkico.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddkbbfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhpjbgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnlkllcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffggdmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lopkkdgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femigg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbeaba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdgqbag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoldl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcogo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeamcmmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmokpglb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjhpqn32.exe -
Executes dropped EXE 64 IoCs
pid Process 4260 Lojmcdgl.exe 3960 Momcpa32.exe 4164 Nhhdnf32.exe 3800 Nqaiecjd.exe 116 Nmhijd32.exe 2940 Nmjfodne.exe 1580 Ojqcnhkl.exe 1380 Oonlfo32.exe 1636 Opbean32.exe 548 Padnaq32.exe 4624 Pfccogfc.exe 2040 Qcnjijoe.exe 2808 Amikgpcc.exe 4060 Bigbmpco.exe 4432 Bdocph32.exe 2656 Bfolacnc.exe 1712 Bmladm32.exe 3076 Ckpamabg.exe 1120 Cmbgdl32.exe 2172 Cmgqpkip.exe 2164 Daollh32.exe 3892 Enhifi32.exe 4356 Enlcahgh.exe 3256 Fclhpo32.exe 876 Gkoplk32.exe 5060 Gclafmej.exe 3132 Gjkbnfha.exe 1968 Hgcmbj32.exe 1988 Hghfnioq.exe 4184 Ilhkigcd.exe 1600 Ijmhkchl.exe 1652 Inkaqb32.exe 3556 Jaljbmkd.exe 3660 Jhhodg32.exe 3624 Jjihfbno.exe 1160 Kahinkaf.exe 3636 Kongmo32.exe 3608 Klbgfc32.exe 2584 Khihld32.exe 4008 Leoejh32.exe 2092 Llimgb32.exe 2800 Llkjmb32.exe 4380 Lehhqg32.exe 3532 Mekdffee.exe 3248 Mdpagc32.exe 2252 Mdbnmbhj.exe 4072 Mddkbbfg.exe 2248 Mahklf32.exe 3540 Nakhaf32.exe 4588 Ncjdki32.exe 1684 Napameoi.exe 2536 Nocbfjmc.exe 3528 Nlgbon32.exe 1136 Ookhfigk.exe 1748 Pmhkflnj.exe 2376 Pokanf32.exe 4760 Qpbgnecp.exe 4048 Apgqie32.exe 220 Ammnhilb.exe 2812 Bclppboi.exe 4924 Bedbhi32.exe 4400 Cpnpqakp.exe 1864 Clgmkbna.exe 4544 Ddcogo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qnfkgfdp.exe Pcagjndj.exe File created C:\Windows\SysWOW64\Bfolacnc.exe Bdocph32.exe File created C:\Windows\SysWOW64\Loifpp32.dll Ohmepbki.exe File created C:\Windows\SysWOW64\Mbiapehp.dll Ieiajckh.exe File created C:\Windows\SysWOW64\Hoocbakd.dll Knkokl32.exe File created C:\Windows\SysWOW64\Jkgmmjgh.dll Iaahjmkn.exe File opened for modification C:\Windows\SysWOW64\Pkoldl32.exe Pqihgcma.exe File created C:\Windows\SysWOW64\Clomaf32.dll Ognpoheh.exe File created C:\Windows\SysWOW64\Fpkokb32.dll Pcijoh32.exe File opened for modification C:\Windows\SysWOW64\Mjafoapj.exe Lplaaiqd.exe File created C:\Windows\SysWOW64\Ibgfkq32.dll Lcdjba32.exe File opened for modification C:\Windows\SysWOW64\Mmlhpaji.exe Lbgcch32.exe File created C:\Windows\SysWOW64\Enfcjb32.exe Emfgpo32.exe File created C:\Windows\SysWOW64\Hoggdelo.dll Cgbppknb.exe File opened for modification C:\Windows\SysWOW64\Hdlhoefk.exe Hfhgfaha.exe File created C:\Windows\SysWOW64\Dccbln32.exe Deoabj32.exe File opened for modification C:\Windows\SysWOW64\Mmlphfed.exe Mcfkkmeo.exe File opened for modification C:\Windows\SysWOW64\Ijhhenhf.exe Idkpmgjo.exe File created C:\Windows\SysWOW64\Oahgnh32.exe Ogbbqo32.exe File created C:\Windows\SysWOW64\Dppgmlhk.dll Bbbkbbkg.exe File created C:\Windows\SysWOW64\Pojhjc32.dll Okcmingd.exe File opened for modification C:\Windows\SysWOW64\Jfcbcp32.exe Jmknkk32.exe File created C:\Windows\SysWOW64\Lmkfah32.exe Kpgfhddn.exe File created C:\Windows\SysWOW64\Mpdnileh.dll Liimgh32.exe File created C:\Windows\SysWOW64\Dpdogj32.exe Chkjpm32.exe File created C:\Windows\SysWOW64\Bhbahm32.exe Abflfc32.exe File created C:\Windows\SysWOW64\Fkjhae32.dll Qdfefkll.exe File created C:\Windows\SysWOW64\Palkgi32.exe Pgdgodhj.exe File opened for modification C:\Windows\SysWOW64\Jlblcdpf.exe Jlponebi.exe File opened for modification C:\Windows\SysWOW64\Eleikb32.exe Eaoenjqa.exe File created C:\Windows\SysWOW64\Hmmakk32.exe Hjlhipbc.exe File created C:\Windows\SysWOW64\Jfkhfmdm.exe Iaifbg32.exe File created C:\Windows\SysWOW64\Hbacoioc.dll Mmokpglb.exe File created C:\Windows\SysWOW64\Einnfgmg.dll Gonilenb.exe File opened for modification C:\Windows\SysWOW64\Dnhncjom.exe Dqdnjfpc.exe File opened for modification C:\Windows\SysWOW64\Hppedpkf.exe Hbldkllm.exe File created C:\Windows\SysWOW64\Llimgb32.exe Leoejh32.exe File created C:\Windows\SysWOW64\Aaeenh32.dll Iaifbg32.exe File created C:\Windows\SysWOW64\Qigefl32.dll Efgono32.exe File created C:\Windows\SysWOW64\Bekfcj32.dll Aejfjocb.exe File created C:\Windows\SysWOW64\Omeqfhai.dll Pqhammje.exe File created C:\Windows\SysWOW64\Iocchhof.exe Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Lpdefc32.exe Lbqdmodg.exe File created C:\Windows\SysWOW64\Doikfb32.dll Mbkmngfn.exe File created C:\Windows\SysWOW64\Fcckcl32.exe Fadoii32.exe File created C:\Windows\SysWOW64\Lfbgmj32.exe Kmncif32.exe File created C:\Windows\SysWOW64\Bhgeao32.exe Booaii32.exe File opened for modification C:\Windows\SysWOW64\Damflb32.exe Chebcmna.exe File created C:\Windows\SysWOW64\Bejoqm32.exe Bhfogiff.exe File opened for modification C:\Windows\SysWOW64\Dlnlak32.exe Dpdogj32.exe File created C:\Windows\SysWOW64\Jfokff32.exe Jikjmbmb.exe File opened for modification C:\Windows\SysWOW64\Pfmdgq32.exe Pemhmn32.exe File opened for modification C:\Windows\SysWOW64\Eddodfhp.exe Dccbln32.exe File opened for modification C:\Windows\SysWOW64\Ahjoljqc.exe Anbkbe32.exe File created C:\Windows\SysWOW64\Dhfhohgp.dll Kongmo32.exe File opened for modification C:\Windows\SysWOW64\Nblfee32.exe Nlbnhkqo.exe File created C:\Windows\SysWOW64\Kodeje32.dll Onjmjegg.exe File opened for modification C:\Windows\SysWOW64\Knldfe32.exe Koggehff.exe File created C:\Windows\SysWOW64\Djgcci32.dll Iobecl32.exe File opened for modification C:\Windows\SysWOW64\Jfdinf32.exe Jiphebml.exe File created C:\Windows\SysWOW64\Odhman32.exe Nciahk32.exe File opened for modification C:\Windows\SysWOW64\Bngfli32.exe Bflagg32.exe File opened for modification C:\Windows\SysWOW64\Klgend32.exe Kkhidaeo.exe File created C:\Windows\SysWOW64\Aepmjk32.exe Aofemaog.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8532 9208 WerFault.exe 840 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaimko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiobbgcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgbppknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgend32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmdhnhkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmdggnj.dll" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkpmcddi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilpfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoehnm.dll" Ilpfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbqbo32.dll" Bejoqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobeniph.dll" Kcehejic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehfp32.dll" Limpiomm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekdolkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojhjc32.dll" Okcmingd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkokb32.dll" Pcijoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegilj32.dll" Omhpcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhcdlgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgagnd32.dll" Ijgjpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empboc32.dll" Jlblcdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll" Enlcahgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elhfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfgjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbgmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlogfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajbli32.dll" Engaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjkbnfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphca32.dll" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlnphpd.dll" Faopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfnab32.dll" Lmkbeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdkniha.dll" Ccigpbga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niohap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neebkkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbaonna.dll" Pgllad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqfmlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbeobhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofalfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcnhmeg.dll" Fmmffhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipckqnja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjdgdl.dll" Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgqfhq32.dll" Oqmhlego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbmicga.dll" Jimeelkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amikgpcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgjmkqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplcocfn.dll" Mmlphfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll" Gjkbnfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibillh32.dll" Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdaokfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmlbdad.dll" Bgafin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppdbfpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpdqlgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhlkj32.dll" Abpcicpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpbjoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmakk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmepbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocchhof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 4260 3016 1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe 94 PID 3016 wrote to memory of 4260 3016 1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe 94 PID 3016 wrote to memory of 4260 3016 1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe 94 PID 4260 wrote to memory of 3960 4260 Lojmcdgl.exe 95 PID 4260 wrote to memory of 3960 4260 Lojmcdgl.exe 95 PID 4260 wrote to memory of 3960 4260 Lojmcdgl.exe 95 PID 3960 wrote to memory of 4164 3960 Momcpa32.exe 96 PID 3960 wrote to memory of 4164 3960 Momcpa32.exe 96 PID 3960 wrote to memory of 4164 3960 Momcpa32.exe 96 PID 4164 wrote to memory of 3800 4164 Nhhdnf32.exe 97 PID 4164 wrote to memory of 3800 4164 Nhhdnf32.exe 97 PID 4164 wrote to memory of 3800 4164 Nhhdnf32.exe 97 PID 3800 wrote to memory of 116 3800 Nqaiecjd.exe 98 PID 3800 wrote to memory of 116 3800 Nqaiecjd.exe 98 PID 3800 wrote to memory of 116 3800 Nqaiecjd.exe 98 PID 116 wrote to memory of 2940 116 Nmhijd32.exe 99 PID 116 wrote to memory of 2940 116 Nmhijd32.exe 99 PID 116 wrote to memory of 2940 116 Nmhijd32.exe 99 PID 2940 wrote to memory of 1580 2940 Nmjfodne.exe 100 PID 2940 wrote to memory of 1580 2940 Nmjfodne.exe 100 PID 2940 wrote to memory of 1580 2940 Nmjfodne.exe 100 PID 1580 wrote to memory of 1380 1580 Ojqcnhkl.exe 101 PID 1580 wrote to memory of 1380 1580 Ojqcnhkl.exe 101 PID 1580 wrote to memory of 1380 1580 Ojqcnhkl.exe 101 PID 1380 wrote to memory of 1636 1380 Oonlfo32.exe 102 PID 1380 wrote to memory of 1636 1380 Oonlfo32.exe 102 PID 1380 wrote to memory of 1636 1380 Oonlfo32.exe 102 PID 1636 wrote to memory of 548 1636 Opbean32.exe 103 PID 1636 wrote to memory of 548 1636 Opbean32.exe 103 PID 1636 wrote to memory of 548 1636 Opbean32.exe 103 PID 548 wrote to memory of 4624 548 Padnaq32.exe 104 PID 548 wrote to memory of 4624 548 Padnaq32.exe 104 PID 548 wrote to memory of 4624 548 Padnaq32.exe 104 PID 4624 wrote to memory of 2040 4624 Pfccogfc.exe 105 PID 4624 wrote to memory of 2040 4624 Pfccogfc.exe 105 PID 4624 wrote to memory of 2040 4624 Pfccogfc.exe 105 PID 2040 wrote to memory of 2808 2040 Qcnjijoe.exe 106 PID 2040 wrote to memory of 2808 2040 Qcnjijoe.exe 106 PID 2040 wrote to memory of 2808 2040 Qcnjijoe.exe 106 PID 2808 wrote to memory of 4060 2808 Amikgpcc.exe 107 PID 2808 wrote to memory of 4060 2808 Amikgpcc.exe 107 PID 2808 wrote to memory of 4060 2808 Amikgpcc.exe 107 PID 4060 wrote to memory of 4432 4060 Bigbmpco.exe 108 PID 4060 wrote to memory of 4432 4060 Bigbmpco.exe 108 PID 4060 wrote to memory of 4432 4060 Bigbmpco.exe 108 PID 4432 wrote to memory of 2656 4432 Bdocph32.exe 109 PID 4432 wrote to memory of 2656 4432 Bdocph32.exe 109 PID 4432 wrote to memory of 2656 4432 Bdocph32.exe 109 PID 2656 wrote to memory of 1712 2656 Bfolacnc.exe 110 PID 2656 wrote to memory of 1712 2656 Bfolacnc.exe 110 PID 2656 wrote to memory of 1712 2656 Bfolacnc.exe 110 PID 1712 wrote to memory of 3076 1712 Bmladm32.exe 111 PID 1712 wrote to memory of 3076 1712 Bmladm32.exe 111 PID 1712 wrote to memory of 3076 1712 Bmladm32.exe 111 PID 3076 wrote to memory of 1120 3076 Ckpamabg.exe 112 PID 3076 wrote to memory of 1120 3076 Ckpamabg.exe 112 PID 3076 wrote to memory of 1120 3076 Ckpamabg.exe 112 PID 1120 wrote to memory of 2172 1120 Cmbgdl32.exe 113 PID 1120 wrote to memory of 2172 1120 Cmbgdl32.exe 113 PID 1120 wrote to memory of 2172 1120 Cmbgdl32.exe 113 PID 2172 wrote to memory of 2164 2172 Cmgqpkip.exe 114 PID 2172 wrote to memory of 2164 2172 Cmgqpkip.exe 114 PID 2172 wrote to memory of 2164 2172 Cmgqpkip.exe 114 PID 2164 wrote to memory of 3892 2164 Daollh32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f6c13f274f28d108dbb598da4965b00_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Momcpa32.exeC:\Windows\system32\Momcpa32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Padnaq32.exeC:\Windows\system32\Padnaq32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Bigbmpco.exeC:\Windows\system32\Bigbmpco.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Bfolacnc.exeC:\Windows\system32\Bfolacnc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe23⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe25⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe26⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Gclafmej.exeC:\Windows\system32\Gclafmej.exe27⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3132 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Ilhkigcd.exeC:\Windows\system32\Ilhkigcd.exe31⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe32⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe33⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe34⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe35⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe36⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe37⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Klbgfc32.exeC:\Windows\system32\Klbgfc32.exe39⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe40⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Llimgb32.exeC:\Windows\system32\Llimgb32.exe42⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Lehhqg32.exeC:\Windows\system32\Lehhqg32.exe44⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe45⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe46⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe47⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe49⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe50⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe51⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe52⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe53⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe54⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe55⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe56⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe58⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe59⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe60⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe61⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe62⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe63⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe64⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe66⤵PID:1096
-
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe67⤵
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe68⤵PID:4412
-
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe69⤵PID:2720
-
C:\Windows\SysWOW64\Fjeibc32.exeC:\Windows\system32\Fjeibc32.exe70⤵PID:4808
-
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe71⤵PID:4016
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe72⤵PID:4208
-
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe73⤵PID:5132
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe74⤵PID:5180
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe75⤵PID:5232
-
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe76⤵PID:5276
-
C:\Windows\SysWOW64\Hfnpca32.exeC:\Windows\system32\Hfnpca32.exe77⤵PID:5316
-
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe78⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Hmmakk32.exeC:\Windows\system32\Hmmakk32.exe79⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Hqkjaifk.exeC:\Windows\system32\Hqkjaifk.exe80⤵PID:5440
-
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe81⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe82⤵PID:5552
-
C:\Windows\SysWOW64\Ijmapm32.exeC:\Windows\system32\Ijmapm32.exe83⤵PID:5600
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe84⤵
- Drops file in System32 directory
PID:5648 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe85⤵PID:5688
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe86⤵PID:5728
-
C:\Windows\SysWOW64\Jmijnfgd.exeC:\Windows\system32\Jmijnfgd.exe87⤵PID:5772
-
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe88⤵PID:5812
-
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe89⤵
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Lfbgmj32.exeC:\Windows\system32\Lfbgmj32.exe90⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe91⤵PID:5988
-
C:\Windows\SysWOW64\Mkdiog32.exeC:\Windows\system32\Mkdiog32.exe92⤵PID:6032
-
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe93⤵PID:6076
-
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe94⤵PID:6140
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe95⤵PID:5176
-
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe97⤵PID:5364
-
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe98⤵PID:5428
-
C:\Windows\SysWOW64\Ofhcdlgg.exeC:\Windows\system32\Ofhcdlgg.exe99⤵
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe100⤵PID:5576
-
C:\Windows\SysWOW64\Pgllad32.exeC:\Windows\system32\Pgllad32.exe101⤵
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe102⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe103⤵PID:5804
-
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe104⤵PID:5840
-
C:\Windows\SysWOW64\Akmjdpac.exeC:\Windows\system32\Akmjdpac.exe105⤵PID:5944
-
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe106⤵PID:5852
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe107⤵PID:6104
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe109⤵PID:5304
-
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe110⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe111⤵PID:5536
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe112⤵PID:5660
-
C:\Windows\SysWOW64\Blkgen32.exeC:\Windows\system32\Blkgen32.exe113⤵PID:5764
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe114⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Clmckmcq.exeC:\Windows\system32\Clmckmcq.exe115⤵PID:6108
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe116⤵PID:5340
-
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe117⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Dpdogj32.exeC:\Windows\system32\Dpdogj32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Dlnlak32.exeC:\Windows\system32\Dlnlak32.exe119⤵PID:316
-
C:\Windows\SysWOW64\Dfemdcba.exeC:\Windows\system32\Dfemdcba.exe120⤵PID:5140
-
C:\Windows\SysWOW64\Eimlgnij.exeC:\Windows\system32\Eimlgnij.exe121⤵PID:5452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-