Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 23:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe
-
Size
82KB
-
MD5
a39b91ca69fa52a9215233acc92849b0
-
SHA1
899392cfe1356f5226c8ca4c5e7e41a60d82d83e
-
SHA256
3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2
-
SHA512
05fe2889cefc85afa721ce8880004488826b9c7828f9fd83e189bac7e93e8a2dc8b30ced1862d3af3c77253778281b3f9d3bbbb641c0df6f0fe6431d6eeee279
-
SSDEEP
1536:343PlYw4uXrpItmakF0vbCHwJHRNfCGe9To2L7lpm6+wDSmQFN6TiN1sJtvQu:343PlCwF0kFSblTNfCH9VBpm6tm7N6TT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfkpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkiha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgopbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmbofdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Algiaepd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibojgikg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcjfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgcjpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcbhgii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpdgjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkijbooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfookmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmiffhkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpnjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdkmnkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpehikja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplkig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olndnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggldde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamkgpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojogb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daolgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmpck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqgnno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpnppap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmiffhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecccmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Molefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnojad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coldbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khiopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpepoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdhnhkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompmie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coldbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cigkdmel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjfaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nleojlbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjgjefj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpfqiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcglfjgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqnbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaoenjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elncjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkeajn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggjpgmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglqgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckkmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnfppqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkoolil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgboc32.exe -
Executes dropped EXE 64 IoCs
pid Process 4068 Mgeakekd.exe 4620 Ncqlkemc.exe 4576 Oanokhdb.exe 1000 Oabhfg32.exe 2020 Pccahbmn.exe 2540 Pdjgha32.exe 4988 Aknbkjfh.exe 3228 Bajqda32.exe 3800 Ckebcg32.exe 1384 Dojqjdbl.exe 3656 Ddkbmj32.exe 1620 Enpfan32.exe 1980 Fbdehlip.exe 4332 Fgcjfbed.exe 2444 Gacepg32.exe 688 Hlkfbocp.exe 1588 Hicpgc32.exe 376 Ieagmcmq.exe 1676 Ibgdlg32.exe 3264 Khgbqkhj.exe 4616 Llnnmhfe.exe 448 Ljdkll32.exe 1140 Mlhqcgnk.exe 3936 Nckkfp32.exe 1156 Objkmkjj.exe 4752 Omdieb32.exe 2600 Pbjddh32.exe 628 Aabkbono.exe 1448 Apjdikqd.exe 3476 Ajdbac32.exe 464 Bfkbfd32.exe 3780 Bphqji32.exe 3400 Ckpamabg.exe 4160 Ckbncapd.exe 3320 Cigkdmel.exe 2496 Cpcpfg32.exe 1700 Daeifj32.exe 3672 Dpmcmf32.exe 4928 Dcphdqmj.exe 3768 Eqkondfl.exe 1232 Fbaahf32.exe 4308 Fbfkceca.exe 1828 Gbkdod32.exe 4276 Gqbneq32.exe 5036 Hccggl32.exe 2772 Hjolie32.exe 4900 Hcjmhk32.exe 4612 Ielfgmnj.exe 1604 Igmoih32.exe 2996 Iecmhlhb.exe 3636 Ihceigec.exe 1268 Jnpjlajn.exe 2248 Khdoqefq.exe 216 Kdmlkfjb.exe 1984 Laffpi32.exe 3444 Lajokiaa.exe 1728 Mcoepkdo.exe 4416 Mahklf32.exe 1096 Ncmaai32.exe 4256 Nfnjbdep.exe 2004 Odedipge.exe 1720 Obkahddl.exe 1292 Pmeoqlpl.exe 1344 Pecpknke.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgcjfbed.exe Fbdehlip.exe File opened for modification C:\Windows\SysWOW64\Enfcjb32.exe Ecpomiok.exe File created C:\Windows\SysWOW64\Bhaeli32.exe Bbemdb32.exe File created C:\Windows\SysWOW64\Jfpmglkb.dll Jekqgnno.exe File created C:\Windows\SysWOW64\Algiaepd.exe Abodhpic.exe File created C:\Windows\SysWOW64\Gmdknbko.dll Doageg32.exe File created C:\Windows\SysWOW64\Dhdkig32.exe Cajblmci.exe File created C:\Windows\SysWOW64\Bgkmid32.dll Kgbjlf32.exe File created C:\Windows\SysWOW64\Nancfp32.dll Gnmbao32.exe File created C:\Windows\SysWOW64\Gpfjfg32.exe Ggnenagl.exe File opened for modification C:\Windows\SysWOW64\Kengqo32.exe Kjhccf32.exe File created C:\Windows\SysWOW64\Mgamci32.dll Bfmoei32.exe File created C:\Windows\SysWOW64\Nbekbimh.dll Emaemefo.exe File created C:\Windows\SysWOW64\Fgeibicb.exe Faakickc.exe File created C:\Windows\SysWOW64\Bpkjdnbj.dll Jjfngi32.exe File created C:\Windows\SysWOW64\Hanppc32.dll Jqbbicel.exe File opened for modification C:\Windows\SysWOW64\Nqjbnjfi.exe Nfenpafc.exe File opened for modification C:\Windows\SysWOW64\Mdibplaf.exe Mohplf32.exe File created C:\Windows\SysWOW64\Ljdbjpnm.dll Loeoei32.exe File created C:\Windows\SysWOW64\Ihpgda32.exe Iaaflh32.exe File opened for modification C:\Windows\SysWOW64\Bojogb32.exe Aamkgpbi.exe File opened for modification C:\Windows\SysWOW64\Ejgddq32.exe Edklljnp.exe File created C:\Windows\SysWOW64\Nongfjdn.dll Fcbehbim.exe File opened for modification C:\Windows\SysWOW64\Qjmllgjd.exe Qepccqlm.exe File opened for modification C:\Windows\SysWOW64\Kpncbemh.exe Jfeoip32.exe File opened for modification C:\Windows\SysWOW64\Kpgfhddn.exe Kpeibdfp.exe File created C:\Windows\SysWOW64\Iphcjffo.dll Lagekp32.exe File created C:\Windows\SysWOW64\Pmfedhie.exe Ockdfceh.exe File created C:\Windows\SysWOW64\Aknbkjfh.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Gjqojf32.dll Njahki32.exe File created C:\Windows\SysWOW64\Kilhqq32.exe Kpccgk32.exe File created C:\Windows\SysWOW64\Eplnijdj.exe Ejofacfb.exe File created C:\Windows\SysWOW64\Hkbmjhdo.exe Hckeikcl.exe File created C:\Windows\SysWOW64\Jdodekhg.exe Jncobabm.exe File created C:\Windows\SysWOW64\Bphgoe32.exe Bhmbjb32.exe File created C:\Windows\SysWOW64\Mjlhjjnc.dll Jnpjlajn.exe File opened for modification C:\Windows\SysWOW64\Ncmaai32.exe Mahklf32.exe File opened for modification C:\Windows\SysWOW64\Fdcjfg32.exe Fineho32.exe File created C:\Windows\SysWOW64\Ckeigc32.exe Cdlpjicj.exe File opened for modification C:\Windows\SysWOW64\Calmcg32.exe Cggifn32.exe File created C:\Windows\SysWOW64\Mkgileqg.dll Khiopp32.exe File created C:\Windows\SysWOW64\Gflonn32.dll Objkmkjj.exe File opened for modification C:\Windows\SysWOW64\Mmgfmg32.exe Llgjcd32.exe File opened for modification C:\Windows\SysWOW64\Canlfh32.exe Beglqgcf.exe File created C:\Windows\SysWOW64\Ikpjkf32.exe Igkkdigp.exe File opened for modification C:\Windows\SysWOW64\Eqbclagp.exe Ekekcjih.exe File created C:\Windows\SysWOW64\Knbmicga.dll Ifefbbdj.exe File created C:\Windows\SysWOW64\Bffkcp32.exe Bcebadof.exe File created C:\Windows\SysWOW64\Cjakkgha.dll Alelkf32.exe File opened for modification C:\Windows\SysWOW64\Ibojgikg.exe Iippne32.exe File created C:\Windows\SysWOW64\Kpeibdfp.exe Kdnincal.exe File created C:\Windows\SysWOW64\Clpami32.dll Pdmpck32.exe File opened for modification C:\Windows\SysWOW64\Pndlca32.exe Omdpio32.exe File opened for modification C:\Windows\SysWOW64\Lifjgb32.exe Loqejjad.exe File created C:\Windows\SysWOW64\Cljopo32.dll Bfoebq32.exe File opened for modification C:\Windows\SysWOW64\Licmbccm.exe Lnnidjcg.exe File opened for modification C:\Windows\SysWOW64\Kddnpj32.exe Jnjecp32.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Ckebcg32.exe File opened for modification C:\Windows\SysWOW64\Pmdpok32.exe Pfhklabb.exe File created C:\Windows\SysWOW64\Qodmdb32.exe Pgihppgo.exe File created C:\Windows\SysWOW64\Jggjpgmc.exe Jdhndlno.exe File created C:\Windows\SysWOW64\Dbnebbgl.dll Mcnfhmcf.exe File opened for modification C:\Windows\SysWOW64\Mjheejff.exe Mboqnm32.exe File created C:\Windows\SysWOW64\Pcdmdcjf.dll Obcled32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmphjfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhab32.dll" Jgjnpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgddq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkacff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfalimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllqpaej.dll" Cdggoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgimepmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghikqj32.dll" Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdoqefq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndchj32.dll" Dmnpah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omaaji32.dll" Pmfedhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifckmnbd.dll" Abodhpic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbemdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpcmagpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjnnoldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaekfjje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kojdflkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfenpafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncqlkemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibgdlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmcmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niipdpae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpdkabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pibdff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmchc32.dll" Hmbflc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nancfp32.dll" Gnmbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopmpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgimepmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmmgceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcjmjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccbanfko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokbiohj.dll" Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekcho32.dll" Ipcakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clldhljp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealkcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjleadh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnnmhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinkjahg.dll" Ccigpbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhbggd32.dll" Mdibplaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdinmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbejgk32.dll" Coldbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaogfhi.dll" Klddgfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkddhdgk.dll" Pfgfkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phodlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbpliob.dll" Dgbagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphlpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimmil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hglaookl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhmmchpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckkmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjohnkdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4068 3164 3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe 90 PID 3164 wrote to memory of 4068 3164 3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe 90 PID 3164 wrote to memory of 4068 3164 3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe 90 PID 4068 wrote to memory of 4620 4068 Mgeakekd.exe 91 PID 4068 wrote to memory of 4620 4068 Mgeakekd.exe 91 PID 4068 wrote to memory of 4620 4068 Mgeakekd.exe 91 PID 4620 wrote to memory of 4576 4620 Ncqlkemc.exe 92 PID 4620 wrote to memory of 4576 4620 Ncqlkemc.exe 92 PID 4620 wrote to memory of 4576 4620 Ncqlkemc.exe 92 PID 4576 wrote to memory of 1000 4576 Oanokhdb.exe 93 PID 4576 wrote to memory of 1000 4576 Oanokhdb.exe 93 PID 4576 wrote to memory of 1000 4576 Oanokhdb.exe 93 PID 1000 wrote to memory of 2020 1000 Oabhfg32.exe 94 PID 1000 wrote to memory of 2020 1000 Oabhfg32.exe 94 PID 1000 wrote to memory of 2020 1000 Oabhfg32.exe 94 PID 2020 wrote to memory of 2540 2020 Pccahbmn.exe 95 PID 2020 wrote to memory of 2540 2020 Pccahbmn.exe 95 PID 2020 wrote to memory of 2540 2020 Pccahbmn.exe 95 PID 2540 wrote to memory of 4988 2540 Pdjgha32.exe 96 PID 2540 wrote to memory of 4988 2540 Pdjgha32.exe 96 PID 2540 wrote to memory of 4988 2540 Pdjgha32.exe 96 PID 4988 wrote to memory of 3228 4988 Aknbkjfh.exe 97 PID 4988 wrote to memory of 3228 4988 Aknbkjfh.exe 97 PID 4988 wrote to memory of 3228 4988 Aknbkjfh.exe 97 PID 3228 wrote to memory of 3800 3228 Bajqda32.exe 98 PID 3228 wrote to memory of 3800 3228 Bajqda32.exe 98 PID 3228 wrote to memory of 3800 3228 Bajqda32.exe 98 PID 3800 wrote to memory of 1384 3800 Ckebcg32.exe 99 PID 3800 wrote to memory of 1384 3800 Ckebcg32.exe 99 PID 3800 wrote to memory of 1384 3800 Ckebcg32.exe 99 PID 1384 wrote to memory of 3656 1384 Dojqjdbl.exe 100 PID 1384 wrote to memory of 3656 1384 Dojqjdbl.exe 100 PID 1384 wrote to memory of 3656 1384 Dojqjdbl.exe 100 PID 3656 wrote to memory of 1620 3656 Ddkbmj32.exe 101 PID 3656 wrote to memory of 1620 3656 Ddkbmj32.exe 101 PID 3656 wrote to memory of 1620 3656 Ddkbmj32.exe 101 PID 1620 wrote to memory of 1980 1620 Enpfan32.exe 102 PID 1620 wrote to memory of 1980 1620 Enpfan32.exe 102 PID 1620 wrote to memory of 1980 1620 Enpfan32.exe 102 PID 1980 wrote to memory of 4332 1980 Fbdehlip.exe 103 PID 1980 wrote to memory of 4332 1980 Fbdehlip.exe 103 PID 1980 wrote to memory of 4332 1980 Fbdehlip.exe 103 PID 4332 wrote to memory of 2444 4332 Fgcjfbed.exe 104 PID 4332 wrote to memory of 2444 4332 Fgcjfbed.exe 104 PID 4332 wrote to memory of 2444 4332 Fgcjfbed.exe 104 PID 2444 wrote to memory of 688 2444 Gacepg32.exe 105 PID 2444 wrote to memory of 688 2444 Gacepg32.exe 105 PID 2444 wrote to memory of 688 2444 Gacepg32.exe 105 PID 688 wrote to memory of 1588 688 Hlkfbocp.exe 106 PID 688 wrote to memory of 1588 688 Hlkfbocp.exe 106 PID 688 wrote to memory of 1588 688 Hlkfbocp.exe 106 PID 1588 wrote to memory of 376 1588 Hicpgc32.exe 107 PID 1588 wrote to memory of 376 1588 Hicpgc32.exe 107 PID 1588 wrote to memory of 376 1588 Hicpgc32.exe 107 PID 376 wrote to memory of 1676 376 Ieagmcmq.exe 108 PID 376 wrote to memory of 1676 376 Ieagmcmq.exe 108 PID 376 wrote to memory of 1676 376 Ieagmcmq.exe 108 PID 1676 wrote to memory of 3264 1676 Ibgdlg32.exe 109 PID 1676 wrote to memory of 3264 1676 Ibgdlg32.exe 109 PID 1676 wrote to memory of 3264 1676 Ibgdlg32.exe 109 PID 3264 wrote to memory of 4616 3264 Khgbqkhj.exe 110 PID 3264 wrote to memory of 4616 3264 Khgbqkhj.exe 110 PID 3264 wrote to memory of 4616 3264 Khgbqkhj.exe 110 PID 4616 wrote to memory of 448 4616 Llnnmhfe.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3ea1d4c71efd66eb876f4feca5a7c36337e1dffa219d5cf36393412c09e5eba2_NeikiAnalytics.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Ljdkll32.exeC:\Windows\system32\Ljdkll32.exe23⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Mlhqcgnk.exeC:\Windows\system32\Mlhqcgnk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nckkfp32.exeC:\Windows\system32\Nckkfp32.exe25⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Omdieb32.exeC:\Windows\system32\Omdieb32.exe27⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe28⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe29⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Apjdikqd.exeC:\Windows\system32\Apjdikqd.exe30⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe32⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe33⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe34⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe35⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe37⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe38⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3672 -
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe40⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe41⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe42⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe43⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe44⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Gqbneq32.exeC:\Windows\system32\Gqbneq32.exe45⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe46⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe47⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe48⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4612 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe50⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe51⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe52⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe55⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe56⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lajokiaa.exeC:\Windows\system32\Lajokiaa.exe57⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe58⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe60⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe61⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe62⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe63⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe64⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe65⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe66⤵PID:3492
-
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe67⤵PID:492
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe68⤵PID:4800
-
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe69⤵PID:1716
-
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe70⤵PID:4788
-
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe71⤵PID:2632
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe72⤵PID:4572
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe73⤵PID:212
-
C:\Windows\SysWOW64\Hgebnc32.exeC:\Windows\system32\Hgebnc32.exe74⤵PID:400
-
C:\Windows\SysWOW64\Imfdaigj.exeC:\Windows\system32\Imfdaigj.exe75⤵PID:1124
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe76⤵PID:1504
-
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe77⤵PID:3148
-
C:\Windows\SysWOW64\Jfoaam32.exeC:\Windows\system32\Jfoaam32.exe78⤵PID:2980
-
C:\Windows\SysWOW64\Kaioidkh.exeC:\Windows\system32\Kaioidkh.exe79⤵PID:4088
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe80⤵PID:4316
-
C:\Windows\SysWOW64\Lhjnfn32.exeC:\Windows\system32\Lhjnfn32.exe81⤵PID:5132
-
C:\Windows\SysWOW64\Lndfchdj.exeC:\Windows\system32\Lndfchdj.exe82⤵PID:5216
-
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe83⤵PID:5280
-
C:\Windows\SysWOW64\Mehafq32.exeC:\Windows\system32\Mehafq32.exe84⤵PID:5336
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe85⤵PID:5400
-
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe86⤵PID:5444
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe87⤵PID:5496
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe88⤵PID:5584
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe89⤵PID:5704
-
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe90⤵PID:5756
-
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe92⤵PID:5848
-
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe93⤵PID:5892
-
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe94⤵PID:5944
-
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe95⤵PID:5988
-
C:\Windows\SysWOW64\Gimoce32.exeC:\Windows\system32\Gimoce32.exe96⤵PID:6036
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe97⤵PID:6084
-
C:\Windows\SysWOW64\Hhpheo32.exeC:\Windows\system32\Hhpheo32.exe98⤵PID:6132
-
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe99⤵PID:5172
-
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe100⤵PID:5296
-
C:\Windows\SysWOW64\Koiejemn.exeC:\Windows\system32\Koiejemn.exe101⤵PID:5376
-
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe102⤵PID:5428
-
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe103⤵PID:4580
-
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe104⤵PID:5552
-
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe105⤵PID:1464
-
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe106⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Mjheejff.exeC:\Windows\system32\Mjheejff.exe107⤵PID:3728
-
C:\Windows\SysWOW64\Nfabok32.exeC:\Windows\system32\Nfabok32.exe108⤵PID:3552
-
C:\Windows\SysWOW64\Njahki32.exeC:\Windows\system32\Njahki32.exe109⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Nbmmoklg.exeC:\Windows\system32\Nbmmoklg.exe110⤵PID:3228
-
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe112⤵PID:464
-
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe113⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe114⤵PID:2276
-
C:\Windows\SysWOW64\Aiejda32.exeC:\Windows\system32\Aiejda32.exe115⤵PID:3264
-
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe116⤵PID:3988
-
C:\Windows\SysWOW64\Ajnmjp32.exeC:\Windows\system32\Ajnmjp32.exe117⤵PID:4672
-
C:\Windows\SysWOW64\Addahh32.exeC:\Windows\system32\Addahh32.exe118⤵PID:2440
-
C:\Windows\SysWOW64\Ckiipa32.exeC:\Windows\system32\Ckiipa32.exe119⤵PID:5712
-
C:\Windows\SysWOW64\Cjabgm32.exeC:\Windows\system32\Cjabgm32.exe120⤵PID:5768
-
C:\Windows\SysWOW64\Ccigpbga.exeC:\Windows\system32\Ccigpbga.exe121⤵
- Modifies registry class
PID:5820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-