Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 12:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe
-
Size
512KB
-
MD5
5c76d75f1f0fb6418c3c5a96490a71b0
-
SHA1
9a4a03e89e8a936990962df7688c8b51b66af48a
-
SHA256
985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165
-
SHA512
2e4ec4fb3713cfc715a576adf84cfc3626146b1e7e851ee503dc83805294e164bfedeecfee77db364af5caaab70fefe36cd116ebc1a2e841dfacd0ffb468b909
-
SSDEEP
12288:2CJCMyI6r2jJXqM+Lh1r/Ng1/Nblt01PBExK:Irt6lks
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibkpmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqdmodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkkah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnelj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niadfpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locgagli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfoflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjednmla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoinlbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capkim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejabgcdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpmnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foplnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepbabjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamjbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbfhiko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaqejcep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeobhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhicjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iplkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngaabfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkliaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efolidno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alioloje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imklncch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloikqnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keinepch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjgjhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaglma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aploae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpmql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomnmfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhefmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpgehnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncakglka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defajqko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpknplq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alioloje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imklncch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khonkogj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpklql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjgemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnah32.exe -
Executes dropped EXE 64 IoCs
pid Process 4732 Modpib32.exe 4536 Mokfja32.exe 1848 Nbnlaldg.exe 4432 Njjmni32.exe 232 Njljch32.exe 2020 Objkmkjj.exe 2516 Oqklkbbi.exe 2904 Omalpc32.exe 952 Oflmnh32.exe 748 Paihlpfi.exe 3092 Pfhmjf32.exe 2236 Qclmck32.exe 4944 Amfobp32.exe 1532 Aagdnn32.exe 3236 Ajaelc32.exe 2284 Bfkbfd32.exe 3760 Bmidnm32.exe 3392 Cdhffg32.exe 2156 Ccmcgcmp.exe 1408 Dncpkjoc.exe 5028 Edoencdm.exe 4016 Enjfli32.exe 2756 Eajlhg32.exe 3796 Fgnjqm32.exe 4056 Fjocbhbo.exe 4564 Gnohnffc.exe 2240 Gnfooe32.exe 4476 Hqghqpnl.exe 2172 Hchqbkkm.exe 1124 Hnpaec32.exe 4752 Iabglnco.exe 5084 Ibgmaqfl.exe 1492 Jjdokb32.exe 1652 Jdmcdhhe.exe 4504 Jjihfbno.exe 3448 Jaemilci.exe 4524 Kbgfhnhi.exe 4924 Leoejh32.exe 4440 Logicn32.exe 3768 Lojfin32.exe 3452 Nhbciqln.exe 2868 Nooikj32.exe 3912 Obidcdfo.exe 4392 Odljjo32.exe 4676 Qmanljfo.exe 2488 Qkfkng32.exe 2668 Akihcfid.exe 2692 Afqifo32.exe 2196 Abgjkpll.exe 2104 Amoknh32.exe 3516 Bifkcioc.exe 3560 Bliajd32.exe 3740 Cmmgof32.exe 2312 Cehlcikj.exe 1136 Cbmlmmjd.exe 4248 Cboibm32.exe 2688 Dghadidj.exe 3472 Egpgehnb.exe 1148 Fpmeimpn.exe 3284 Fgijkgeh.exe 3424 Fcpkph32.exe 3800 Fjlpbb32.exe 3348 Hnmnengg.exe 400 Hmbkfjko.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofacao32.dll Aijeme32.exe File opened for modification C:\Windows\SysWOW64\Lkkekdhe.exe Lcpqgbkj.exe File created C:\Windows\SysWOW64\Nnhcfa32.dll Process not Found File created C:\Windows\SysWOW64\Cfedmfqd.exe Cpklql32.exe File opened for modification C:\Windows\SysWOW64\Idbfhiko.exe Ininloda.exe File opened for modification C:\Windows\SysWOW64\Igdnkhoe.exe Igbaeh32.exe File created C:\Windows\SysWOW64\Poimigfm.exe Peahpa32.exe File opened for modification C:\Windows\SysWOW64\Ghgeoq32.exe Gooqfkan.exe File opened for modification C:\Windows\SysWOW64\Aafefq32.exe Aklmjfad.exe File opened for modification C:\Windows\SysWOW64\Olpjii32.exe Ofcaab32.exe File opened for modification C:\Windows\SysWOW64\Amibqhed.exe Amgekh32.exe File opened for modification C:\Windows\SysWOW64\Egjobl32.exe Process not Found File created C:\Windows\SysWOW64\Jfbnnelf.dll Nhbciqln.exe File created C:\Windows\SysWOW64\Oihkgo32.exe Nifnao32.exe File opened for modification C:\Windows\SysWOW64\Nqdlpmce.exe Nocphd32.exe File created C:\Windows\SysWOW64\Cdkcbfjm.dll Fiajfi32.exe File opened for modification C:\Windows\SysWOW64\Iabglnco.exe Hnpaec32.exe File created C:\Windows\SysWOW64\Effdbcbq.dll Khonkogj.exe File created C:\Windows\SysWOW64\Enccibdi.dll Pgaelcgm.exe File created C:\Windows\SysWOW64\Lmhnea32.exe Lbbjhini.exe File opened for modification C:\Windows\SysWOW64\Mingbhon.exe Mccofn32.exe File opened for modification C:\Windows\SysWOW64\Npedfjfo.exe Nbadmege.exe File created C:\Windows\SysWOW64\Dgpgplej.exe Dodbkiho.exe File created C:\Windows\SysWOW64\Mbedag32.exe Mbchkg32.exe File created C:\Windows\SysWOW64\Dhbelp32.exe Process not Found File created C:\Windows\SysWOW64\Aneppo32.exe Alfcflfb.exe File created C:\Windows\SysWOW64\Cdhiigok.dll Plifea32.exe File created C:\Windows\SysWOW64\Jcefgeif.exe Jfaenqjm.exe File created C:\Windows\SysWOW64\Pgpmdh32.exe Oqfdgn32.exe File created C:\Windows\SysWOW64\Ijhhenhf.exe Hmbkfjko.exe File opened for modification C:\Windows\SysWOW64\Ainnhdbp.exe Afnefieo.exe File created C:\Windows\SysWOW64\Pjofcb32.exe Process not Found File created C:\Windows\SysWOW64\Pdofpb32.exe Pnenchoc.exe File opened for modification C:\Windows\SysWOW64\Cjofambd.exe Cqfahh32.exe File created C:\Windows\SysWOW64\Dflflg32.exe Dqomdppm.exe File created C:\Windows\SysWOW64\Mjiljdaj.exe Lnbkeclf.exe File opened for modification C:\Windows\SysWOW64\Oimdbnip.exe Olidijjf.exe File created C:\Windows\SysWOW64\Nigjifgc.exe Mlciobhj.exe File created C:\Windows\SysWOW64\Jlpklg32.exe Jcefgeif.exe File created C:\Windows\SysWOW64\Aachaa32.exe Qemhlp32.exe File created C:\Windows\SysWOW64\Cdhffg32.exe Bmidnm32.exe File created C:\Windows\SysWOW64\Elhnhm32.exe Eabjkdcc.exe File created C:\Windows\SysWOW64\Cegibblj.dll Fnacfp32.exe File opened for modification C:\Windows\SysWOW64\Mkangg32.exe Mkoaagmh.exe File opened for modification C:\Windows\SysWOW64\Hhobjf32.exe Hofmaq32.exe File created C:\Windows\SysWOW64\Jnalem32.exe Jhdcmf32.exe File created C:\Windows\SysWOW64\Pldcdhpi.exe Plbfohbl.exe File opened for modification C:\Windows\SysWOW64\Blhhaigj.exe Andghd32.exe File created C:\Windows\SysWOW64\Dflebj32.dll Ibkpmm32.exe File created C:\Windows\SysWOW64\Dpckclld.exe Dclknkfp.exe File created C:\Windows\SysWOW64\Jelhphdq.dll Idbonc32.exe File created C:\Windows\SysWOW64\Njjmni32.exe Nbnlaldg.exe File created C:\Windows\SysWOW64\Oiljbjbl.dll Hhobjf32.exe File opened for modification C:\Windows\SysWOW64\Nfnooe32.exe Meobeb32.exe File opened for modification C:\Windows\SysWOW64\Ejabgcdp.exe Efdjqeni.exe File opened for modification C:\Windows\SysWOW64\Gdncfl32.exe Gkeonggf.exe File created C:\Windows\SysWOW64\Hoebhpfd.dll Nbadmege.exe File created C:\Windows\SysWOW64\Jkligd32.exe Jljiimeb.exe File opened for modification C:\Windows\SysWOW64\Aolbedeh.exe Anmfkane.exe File opened for modification C:\Windows\SysWOW64\Efolidno.exe Egiohh32.exe File opened for modification C:\Windows\SysWOW64\Fldeie32.exe Efepln32.exe File created C:\Windows\SysWOW64\Pgaelcgm.exe Ogjpld32.exe File created C:\Windows\SysWOW64\Kgkfil32.exe Kaonaekb.exe File opened for modification C:\Windows\SysWOW64\Nklfho32.exe Nacboi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3468 5152 Process not Found 1220 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcimp32.dll" Cmflkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfimmhkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jelhphdq.dll" Idbonc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blieeglf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkcaeige.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpcdjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldogjib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoalba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgjpce32.dll" Dqomdppm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmnengg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdefi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejeebpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjabgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfoopb32.dll" Gpodkdll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjqdafmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iophnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkckicf.dll" Lbmheomi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maggggaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccccb32.dll" Jhdcmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpkliaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdabmcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll" Enjfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkooep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofacao32.dll" Aijeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkpdbm32.dll" Ekcplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhnob32.dll" Hoonjjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncakglka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgejeooc.dll" Bmjlpnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbiip32.dll" Aemjjeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmlfi32.dll" Ijjnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcabhido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhdpkoii.dll" Ghmbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okcccdkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idgocigi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olqqdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homcbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpjgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjgdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lechfeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keghocao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdake32.dll" Lennpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbphn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckghid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapbnlk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbocng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkjclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcbngeqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbecljnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjjhj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3248 wrote to memory of 4732 3248 985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe 91 PID 3248 wrote to memory of 4732 3248 985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe 91 PID 3248 wrote to memory of 4732 3248 985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe 91 PID 4732 wrote to memory of 4536 4732 Modpib32.exe 92 PID 4732 wrote to memory of 4536 4732 Modpib32.exe 92 PID 4732 wrote to memory of 4536 4732 Modpib32.exe 92 PID 4536 wrote to memory of 1848 4536 Mokfja32.exe 93 PID 4536 wrote to memory of 1848 4536 Mokfja32.exe 93 PID 4536 wrote to memory of 1848 4536 Mokfja32.exe 93 PID 1848 wrote to memory of 4432 1848 Nbnlaldg.exe 94 PID 1848 wrote to memory of 4432 1848 Nbnlaldg.exe 94 PID 1848 wrote to memory of 4432 1848 Nbnlaldg.exe 94 PID 4432 wrote to memory of 232 4432 Njjmni32.exe 95 PID 4432 wrote to memory of 232 4432 Njjmni32.exe 95 PID 4432 wrote to memory of 232 4432 Njjmni32.exe 95 PID 232 wrote to memory of 2020 232 Njljch32.exe 96 PID 232 wrote to memory of 2020 232 Njljch32.exe 96 PID 232 wrote to memory of 2020 232 Njljch32.exe 96 PID 2020 wrote to memory of 2516 2020 Objkmkjj.exe 97 PID 2020 wrote to memory of 2516 2020 Objkmkjj.exe 97 PID 2020 wrote to memory of 2516 2020 Objkmkjj.exe 97 PID 2516 wrote to memory of 2904 2516 Oqklkbbi.exe 98 PID 2516 wrote to memory of 2904 2516 Oqklkbbi.exe 98 PID 2516 wrote to memory of 2904 2516 Oqklkbbi.exe 98 PID 2904 wrote to memory of 952 2904 Omalpc32.exe 99 PID 2904 wrote to memory of 952 2904 Omalpc32.exe 99 PID 2904 wrote to memory of 952 2904 Omalpc32.exe 99 PID 952 wrote to memory of 748 952 Oflmnh32.exe 100 PID 952 wrote to memory of 748 952 Oflmnh32.exe 100 PID 952 wrote to memory of 748 952 Oflmnh32.exe 100 PID 748 wrote to memory of 3092 748 Paihlpfi.exe 101 PID 748 wrote to memory of 3092 748 Paihlpfi.exe 101 PID 748 wrote to memory of 3092 748 Paihlpfi.exe 101 PID 3092 wrote to memory of 2236 3092 Pfhmjf32.exe 102 PID 3092 wrote to memory of 2236 3092 Pfhmjf32.exe 102 PID 3092 wrote to memory of 2236 3092 Pfhmjf32.exe 102 PID 2236 wrote to memory of 4944 2236 Qclmck32.exe 103 PID 2236 wrote to memory of 4944 2236 Qclmck32.exe 103 PID 2236 wrote to memory of 4944 2236 Qclmck32.exe 103 PID 4944 wrote to memory of 1532 4944 Amfobp32.exe 104 PID 4944 wrote to memory of 1532 4944 Amfobp32.exe 104 PID 4944 wrote to memory of 1532 4944 Amfobp32.exe 104 PID 1532 wrote to memory of 3236 1532 Aagdnn32.exe 105 PID 1532 wrote to memory of 3236 1532 Aagdnn32.exe 105 PID 1532 wrote to memory of 3236 1532 Aagdnn32.exe 105 PID 3236 wrote to memory of 2284 3236 Ajaelc32.exe 106 PID 3236 wrote to memory of 2284 3236 Ajaelc32.exe 106 PID 3236 wrote to memory of 2284 3236 Ajaelc32.exe 106 PID 2284 wrote to memory of 3760 2284 Bfkbfd32.exe 107 PID 2284 wrote to memory of 3760 2284 Bfkbfd32.exe 107 PID 2284 wrote to memory of 3760 2284 Bfkbfd32.exe 107 PID 3760 wrote to memory of 3392 3760 Bmidnm32.exe 108 PID 3760 wrote to memory of 3392 3760 Bmidnm32.exe 108 PID 3760 wrote to memory of 3392 3760 Bmidnm32.exe 108 PID 3392 wrote to memory of 2156 3392 Cdhffg32.exe 109 PID 3392 wrote to memory of 2156 3392 Cdhffg32.exe 109 PID 3392 wrote to memory of 2156 3392 Cdhffg32.exe 109 PID 2156 wrote to memory of 1408 2156 Ccmcgcmp.exe 110 PID 2156 wrote to memory of 1408 2156 Ccmcgcmp.exe 110 PID 2156 wrote to memory of 1408 2156 Ccmcgcmp.exe 110 PID 1408 wrote to memory of 5028 1408 Dncpkjoc.exe 111 PID 1408 wrote to memory of 5028 1408 Dncpkjoc.exe 111 PID 1408 wrote to memory of 5028 1408 Dncpkjoc.exe 111 PID 5028 wrote to memory of 4016 5028 Edoencdm.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\985a96b5719f284c663d33c2b8ad6173754cec7fd0002ac20d39bfd76f9bb165_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Mokfja32.exeC:\Windows\system32\Mokfja32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Nbnlaldg.exeC:\Windows\system32\Nbnlaldg.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Njjmni32.exeC:\Windows\system32\Njjmni32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Njljch32.exeC:\Windows\system32\Njljch32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Qclmck32.exeC:\Windows\system32\Qclmck32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Bfkbfd32.exeC:\Windows\system32\Bfkbfd32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Cdhffg32.exeC:\Windows\system32\Cdhffg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Dncpkjoc.exeC:\Windows\system32\Dncpkjoc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Edoencdm.exeC:\Windows\system32\Edoencdm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4016 -
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe24⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe25⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe26⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe27⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Gnfooe32.exeC:\Windows\system32\Gnfooe32.exe28⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hqghqpnl.exeC:\Windows\system32\Hqghqpnl.exe29⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe30⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe32⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ibgmaqfl.exeC:\Windows\system32\Ibgmaqfl.exe33⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Jjdokb32.exeC:\Windows\system32\Jjdokb32.exe34⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe35⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe36⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe37⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe38⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe39⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe40⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe41⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe43⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe44⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe45⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe46⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe47⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe48⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe49⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe50⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe51⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe52⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Bliajd32.exeC:\Windows\system32\Bliajd32.exe53⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe54⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe55⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe56⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe57⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe58⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe60⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe61⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe62⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Fjlpbb32.exeC:\Windows\system32\Fjlpbb32.exe63⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Hnmnengg.exeC:\Windows\system32\Hnmnengg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Hmbkfjko.exeC:\Windows\system32\Hmbkfjko.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe66⤵PID:3040
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe67⤵PID:1948
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe68⤵PID:464
-
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe69⤵PID:2892
-
C:\Windows\SysWOW64\Iaifbg32.exeC:\Windows\system32\Iaifbg32.exe70⤵PID:2420
-
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe72⤵PID:4428
-
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe73⤵PID:4012
-
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe74⤵PID:1716
-
C:\Windows\SysWOW64\Jndmlj32.exeC:\Windows\system32\Jndmlj32.exe75⤵PID:1112
-
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe76⤵PID:820
-
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe78⤵PID:5188
-
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe79⤵PID:5236
-
C:\Windows\SysWOW64\Keghocao.exeC:\Windows\system32\Keghocao.exe80⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Kfidgk32.exeC:\Windows\system32\Kfidgk32.exe81⤵PID:5376
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe82⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Kaqejcep.exeC:\Windows\system32\Kaqejcep.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Lfmnbjcg.exeC:\Windows\system32\Lfmnbjcg.exe84⤵PID:5532
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe85⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe86⤵PID:5632
-
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe87⤵PID:5672
-
C:\Windows\SysWOW64\Maoakaip.exeC:\Windows\system32\Maoakaip.exe88⤵PID:5732
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe89⤵PID:5780
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe90⤵PID:5836
-
C:\Windows\SysWOW64\Ndmgnkja.exeC:\Windows\system32\Ndmgnkja.exe91⤵PID:5880
-
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe92⤵PID:5936
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe93⤵
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe94⤵PID:6048
-
C:\Windows\SysWOW64\Oeffnl32.exeC:\Windows\system32\Oeffnl32.exe95⤵PID:6096
-
C:\Windows\SysWOW64\Ogjpld32.exeC:\Windows\system32\Ogjpld32.exe96⤵
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe97⤵
- Drops file in System32 directory
PID:5156 -
C:\Windows\SysWOW64\Pgcbbc32.exeC:\Windows\system32\Pgcbbc32.exe98⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe99⤵PID:5388
-
C:\Windows\SysWOW64\Qhghge32.exeC:\Windows\system32\Qhghge32.exe100⤵PID:5480
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Aijeme32.exeC:\Windows\system32\Aijeme32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe103⤵
- Drops file in System32 directory
PID:5740 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe104⤵PID:5796
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe105⤵PID:5856
-
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe106⤵PID:5992
-
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe107⤵PID:6020
-
C:\Windows\SysWOW64\Bndjfjhl.exeC:\Windows\system32\Bndjfjhl.exe108⤵PID:6108
-
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe109⤵PID:4832
-
C:\Windows\SysWOW64\Beaohcmf.exeC:\Windows\system32\Beaohcmf.exe110⤵PID:5328
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Cpipkl32.exeC:\Windows\system32\Cpipkl32.exe112⤵PID:5560
-
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe114⤵PID:5788
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe115⤵PID:5916
-
C:\Windows\SysWOW64\Cfjnhe32.exeC:\Windows\system32\Cfjnhe32.exe116⤵PID:6028
-
C:\Windows\SysWOW64\Deokja32.exeC:\Windows\system32\Deokja32.exe117⤵PID:2072
-
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe118⤵PID:5304
-
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe119⤵PID:5144
-
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5744 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe121⤵PID:5988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-