Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 11:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe
-
Size
143KB
-
MD5
aa35177412e7508322e4c4e014bdb900
-
SHA1
f1755448bcc9971b7cd3eb12b37531d40ce8f132
-
SHA256
a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e
-
SHA512
95114dd02e338912f8ea834bc10b9bec56ecc38007cbeee314e2d508ca1dd04d5efa23c76c762ba3b2e9cfc0628dc5ad0b0819728b59d115eda46e6d626bf402
-
SSDEEP
1536:xZo4VfmgbI4dQ97WZWT8hUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:842ygRT8h3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiipmhmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganldgib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nciopppp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgqgfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knqepc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjggal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfami32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjhpcmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieojgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcgcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anobgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgeqmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdbdcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlepcdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblhcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdphngfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phajna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccblbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcneeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcigjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlhgaqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfojblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjkaabc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpoihnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdime32.exe -
Executes dropped EXE 64 IoCs
pid Process 1928 Mjokgg32.exe 4356 Mchppmij.exe 3052 Mjahlgpf.exe 4484 Mmpdhboj.exe 4644 Megljppl.exe 3448 Mkadfj32.exe 2236 Mnpabe32.exe 4708 Manmoq32.exe 2892 Nclikl32.exe 448 Nlcalieg.exe 2244 Nnbnhedj.exe 820 Nelfeo32.exe 3844 Ngjbaj32.exe 4556 Njinmf32.exe 1800 Nndjndbh.exe 3812 Nabfjpak.exe 5004 Nhmofj32.exe 3532 Nlhkgi32.exe 928 Nnfgcd32.exe 3948 Neqopnhb.exe 3540 Nccokk32.exe 4852 Nhokljge.exe 824 Njmhhefi.exe 4012 Neclenfo.exe 3316 Nlmdbh32.exe 2384 Nmnqjp32.exe 2984 Oeehkn32.exe 1432 Ojbacd32.exe 4308 Oalipoiq.exe 224 Ohfami32.exe 5028 Onpjichj.exe 4812 Oanfen32.exe 4816 Odmbaj32.exe 4032 Ohhnbhok.exe 404 Ojgjndno.exe 2992 Oobfob32.exe 1180 Oaqbkn32.exe 3504 Odoogi32.exe 1940 Ohkkhhmh.exe 1956 Olfghg32.exe 1948 Oodcdb32.exe 2796 Omgcpokp.exe 1684 Oeokal32.exe 2424 Odalmibl.exe 4676 Olicnfco.exe 2324 Okkdic32.exe 5060 Omjpeo32.exe 1324 Paelfmaf.exe 3548 Phodcg32.exe 3084 Poimpapp.exe 1912 Pmlmkn32.exe 2828 Pdfehh32.exe 5052 Phaahggp.exe 1392 Pkpmdbfd.exe 3496 Pmoiqneg.exe 3728 Pefabkej.exe 5008 Phdnngdn.exe 1292 Plpjoe32.exe 2416 Ponfka32.exe 1916 Palbgl32.exe 3852 Pdkoch32.exe 1136 Plbfdekd.exe 456 Popbpqjh.exe 980 Pmcclm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phodcg32.exe Paelfmaf.exe File opened for modification C:\Windows\SysWOW64\Phigif32.exe Pdmkhgho.exe File opened for modification C:\Windows\SysWOW64\Adhdjpjf.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Dcnlnaom.exe Dpopbepi.exe File created C:\Windows\SysWOW64\Bejceb32.dll Fnffhgon.exe File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Ohkkhhmh.exe File opened for modification C:\Windows\SysWOW64\Cfpffeaj.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Abhemohm.dll Kckqbj32.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hifcgion.exe File opened for modification C:\Windows\SysWOW64\Iedjmioj.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Lpghll32.dll Ojajin32.exe File created C:\Windows\SysWOW64\Chlflabp.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Knqepc32.exe File created C:\Windows\SysWOW64\Ddifgk32.exe Dhbebj32.exe File opened for modification C:\Windows\SysWOW64\Bhpofl32.exe Bddcenpi.exe File created C:\Windows\SysWOW64\Pmkofa32.exe Ppgomnai.exe File created C:\Windows\SysWOW64\Gdiakp32.exe Gbkdod32.exe File created C:\Windows\SysWOW64\Dodjjimm.exe Dmennnni.exe File opened for modification C:\Windows\SysWOW64\Bpfkpp32.exe Bmhocd32.exe File created C:\Windows\SysWOW64\Elfahb32.dll Dcphdqmj.exe File created C:\Windows\SysWOW64\Adhdjpjf.exe Aajhndkb.exe File created C:\Windows\SysWOW64\Ofkhal32.dll Bdojjo32.exe File opened for modification C:\Windows\SysWOW64\Ebaplnie.exe Doccpcja.exe File created C:\Windows\SysWOW64\Mlljnf32.exe Mbgeqmjp.exe File opened for modification C:\Windows\SysWOW64\Adjjeieh.exe Aalmimfd.exe File created C:\Windows\SysWOW64\Dmlkhofd.exe Cdecgbfa.exe File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Qfmmplad.exe Qdoacabq.exe File created C:\Windows\SysWOW64\Dbocfo32.exe Doagjc32.exe File created C:\Windows\SysWOW64\Ddnobj32.exe Dbocfo32.exe File created C:\Windows\SysWOW64\Dickplko.exe Dgdncplk.exe File opened for modification C:\Windows\SysWOW64\Eafbmgad.exe Ekljpm32.exe File opened for modification C:\Windows\SysWOW64\Gnmlhf32.exe Ggccllai.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Dflfac32.exe File opened for modification C:\Windows\SysWOW64\Bpqjjjjl.exe Bmbnnn32.exe File created C:\Windows\SysWOW64\Hhlpmmgb.dll Kodnmkap.exe File created C:\Windows\SysWOW64\Dgbanq32.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Jimldogg.exe Jlikkkhn.exe File opened for modification C:\Windows\SysWOW64\Fmmmfj32.exe Fefedmil.exe File created C:\Windows\SysWOW64\Aamknj32.exe Akccap32.exe File created C:\Windows\SysWOW64\Cdmoafdb.exe Cmbgdl32.exe File opened for modification C:\Windows\SysWOW64\Jmeede32.exe Jgkmgk32.exe File created C:\Windows\SysWOW64\Ocohmc32.exe Omdppiif.exe File created C:\Windows\SysWOW64\Enfhldel.dll Qapnmopa.exe File opened for modification C:\Windows\SysWOW64\Gnohnffc.exe Gcjdam32.exe File created C:\Windows\SysWOW64\Jflbhhom.dll Fefedmil.exe File created C:\Windows\SysWOW64\Inpoggcb.dll Qjhbfd32.exe File created C:\Windows\SysWOW64\Aimogakj.exe Abcgjg32.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jcanll32.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Conanfli.exe File created C:\Windows\SysWOW64\Jmbpjm32.dll Cmedjl32.exe File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Ejlnfjbd.exe File created C:\Windows\SysWOW64\Mdgmickl.dll Pmoiqneg.exe File created C:\Windows\SysWOW64\Mklbeh32.dll Bheplb32.exe File created C:\Windows\SysWOW64\Ogbdnipf.dll Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Bpdnjple.exe Bmeandma.exe File created C:\Windows\SysWOW64\Klhacomg.dll Abfdpfaj.exe File created C:\Windows\SysWOW64\Epmmqheb.exe Emoadlfo.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Phonha32.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Jahqiaeb.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Cienon32.exe Cgfbbb32.exe File created C:\Windows\SysWOW64\Jllokajf.exe Jebfng32.exe File created C:\Windows\SysWOW64\Fohhdm32.dll Cildom32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13344 13560 WerFault.exe 728 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjple.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phodcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjjkaabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" Ahpmjejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qapnmopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adjjeieh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnlkfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egened32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaqmkhl.dll" Jemfhacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcphdqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" Ponfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goniok32.dll" Ihdldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmlhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieojgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojbacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khliclno.dll" Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoknihb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjcgfjdk.dll" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhpjc32.dll" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqfid32.dll" Gkdpbpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbfdekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" Qhhpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhacomg.dll" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nccokk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adepji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Cogddd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3908 wrote to memory of 1928 3908 a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe 88 PID 3908 wrote to memory of 1928 3908 a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe 88 PID 3908 wrote to memory of 1928 3908 a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe 88 PID 1928 wrote to memory of 4356 1928 Mjokgg32.exe 89 PID 1928 wrote to memory of 4356 1928 Mjokgg32.exe 89 PID 1928 wrote to memory of 4356 1928 Mjokgg32.exe 89 PID 4356 wrote to memory of 3052 4356 Mchppmij.exe 90 PID 4356 wrote to memory of 3052 4356 Mchppmij.exe 90 PID 4356 wrote to memory of 3052 4356 Mchppmij.exe 90 PID 3052 wrote to memory of 4484 3052 Mjahlgpf.exe 91 PID 3052 wrote to memory of 4484 3052 Mjahlgpf.exe 91 PID 3052 wrote to memory of 4484 3052 Mjahlgpf.exe 91 PID 4484 wrote to memory of 4644 4484 Mmpdhboj.exe 92 PID 4484 wrote to memory of 4644 4484 Mmpdhboj.exe 92 PID 4484 wrote to memory of 4644 4484 Mmpdhboj.exe 92 PID 4644 wrote to memory of 3448 4644 Megljppl.exe 93 PID 4644 wrote to memory of 3448 4644 Megljppl.exe 93 PID 4644 wrote to memory of 3448 4644 Megljppl.exe 93 PID 3448 wrote to memory of 2236 3448 Mkadfj32.exe 94 PID 3448 wrote to memory of 2236 3448 Mkadfj32.exe 94 PID 3448 wrote to memory of 2236 3448 Mkadfj32.exe 94 PID 2236 wrote to memory of 4708 2236 Mnpabe32.exe 95 PID 2236 wrote to memory of 4708 2236 Mnpabe32.exe 95 PID 2236 wrote to memory of 4708 2236 Mnpabe32.exe 95 PID 4708 wrote to memory of 2892 4708 Manmoq32.exe 96 PID 4708 wrote to memory of 2892 4708 Manmoq32.exe 96 PID 4708 wrote to memory of 2892 4708 Manmoq32.exe 96 PID 2892 wrote to memory of 448 2892 Nclikl32.exe 97 PID 2892 wrote to memory of 448 2892 Nclikl32.exe 97 PID 2892 wrote to memory of 448 2892 Nclikl32.exe 97 PID 448 wrote to memory of 2244 448 Nlcalieg.exe 98 PID 448 wrote to memory of 2244 448 Nlcalieg.exe 98 PID 448 wrote to memory of 2244 448 Nlcalieg.exe 98 PID 2244 wrote to memory of 820 2244 Nnbnhedj.exe 99 PID 2244 wrote to memory of 820 2244 Nnbnhedj.exe 99 PID 2244 wrote to memory of 820 2244 Nnbnhedj.exe 99 PID 820 wrote to memory of 3844 820 Nelfeo32.exe 100 PID 820 wrote to memory of 3844 820 Nelfeo32.exe 100 PID 820 wrote to memory of 3844 820 Nelfeo32.exe 100 PID 3844 wrote to memory of 4556 3844 Ngjbaj32.exe 101 PID 3844 wrote to memory of 4556 3844 Ngjbaj32.exe 101 PID 3844 wrote to memory of 4556 3844 Ngjbaj32.exe 101 PID 4556 wrote to memory of 1800 4556 Njinmf32.exe 102 PID 4556 wrote to memory of 1800 4556 Njinmf32.exe 102 PID 4556 wrote to memory of 1800 4556 Njinmf32.exe 102 PID 1800 wrote to memory of 3812 1800 Nndjndbh.exe 103 PID 1800 wrote to memory of 3812 1800 Nndjndbh.exe 103 PID 1800 wrote to memory of 3812 1800 Nndjndbh.exe 103 PID 3812 wrote to memory of 5004 3812 Nabfjpak.exe 104 PID 3812 wrote to memory of 5004 3812 Nabfjpak.exe 104 PID 3812 wrote to memory of 5004 3812 Nabfjpak.exe 104 PID 5004 wrote to memory of 3532 5004 Nhmofj32.exe 105 PID 5004 wrote to memory of 3532 5004 Nhmofj32.exe 105 PID 5004 wrote to memory of 3532 5004 Nhmofj32.exe 105 PID 3532 wrote to memory of 928 3532 Nlhkgi32.exe 106 PID 3532 wrote to memory of 928 3532 Nlhkgi32.exe 106 PID 3532 wrote to memory of 928 3532 Nlhkgi32.exe 106 PID 928 wrote to memory of 3948 928 Nnfgcd32.exe 107 PID 928 wrote to memory of 3948 928 Nnfgcd32.exe 107 PID 928 wrote to memory of 3948 928 Nnfgcd32.exe 107 PID 3948 wrote to memory of 3540 3948 Neqopnhb.exe 108 PID 3948 wrote to memory of 3540 3948 Neqopnhb.exe 108 PID 3948 wrote to memory of 3540 3948 Neqopnhb.exe 108 PID 3540 wrote to memory of 4852 3540 Nccokk32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a9704399236b728a51291a3104a11f797d480ba87a59d507017ff391f97be44e_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Nndjndbh.exeC:\Windows\system32\Nndjndbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Nabfjpak.exeC:\Windows\system32\Nabfjpak.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe23⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe24⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe25⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe26⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe27⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe28⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ojbacd32.exeC:\Windows\system32\Ojbacd32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Oalipoiq.exeC:\Windows\system32\Oalipoiq.exe30⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Onpjichj.exeC:\Windows\system32\Onpjichj.exe32⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe33⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe34⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe35⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe36⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe37⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe38⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Odoogi32.exeC:\Windows\system32\Odoogi32.exe39⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe41⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe42⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe43⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe44⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe45⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe46⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Okkdic32.exeC:\Windows\system32\Okkdic32.exe47⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Omjpeo32.exeC:\Windows\system32\Omjpeo32.exe48⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Phodcg32.exeC:\Windows\system32\Phodcg32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3548 -
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe52⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Phaahggp.exeC:\Windows\system32\Phaahggp.exe54⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe55⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3496 -
C:\Windows\SysWOW64\Pefabkej.exeC:\Windows\system32\Pefabkej.exe57⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe58⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe59⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe61⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe62⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Popbpqjh.exeC:\Windows\system32\Popbpqjh.exe64⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe65⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Pdmkhgho.exeC:\Windows\system32\Pdmkhgho.exe66⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe67⤵PID:2568
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe68⤵PID:3112
-
C:\Windows\SysWOW64\Qmepam32.exeC:\Windows\system32\Qmepam32.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe70⤵PID:4304
-
C:\Windows\SysWOW64\Qdphngfl.exeC:\Windows\system32\Qdphngfl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4216 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe72⤵PID:1408
-
C:\Windows\SysWOW64\Qoelkp32.exeC:\Windows\system32\Qoelkp32.exe73⤵PID:5024
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe74⤵PID:912
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe76⤵PID:868
-
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe77⤵PID:1668
-
C:\Windows\SysWOW64\Aeaanjkl.exeC:\Windows\system32\Aeaanjkl.exe78⤵PID:5000
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe79⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe80⤵PID:2752
-
C:\Windows\SysWOW64\Aojefobm.exeC:\Windows\system32\Aojefobm.exe81⤵PID:4584
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe82⤵PID:1420
-
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe83⤵PID:1300
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe84⤵PID:4664
-
C:\Windows\SysWOW64\Anobgl32.exeC:\Windows\system32\Anobgl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3568 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe86⤵PID:1704
-
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe87⤵PID:5124
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe88⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Aamknj32.exeC:\Windows\system32\Aamknj32.exe89⤵PID:5216
-
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe90⤵PID:5264
-
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe91⤵PID:5300
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe92⤵PID:5352
-
C:\Windows\SysWOW64\Aekddhcb.exeC:\Windows\system32\Aekddhcb.exe93⤵PID:5392
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436 -
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe95⤵PID:5488
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe96⤵PID:5528
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe97⤵PID:5576
-
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe98⤵PID:5624
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe99⤵PID:5676
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe100⤵PID:5716
-
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe101⤵
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Boeebnhp.exeC:\Windows\system32\Boeebnhp.exe102⤵
- Modifies registry class
PID:5796 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe103⤵PID:5836
-
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe104⤵PID:5876
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5924 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe106⤵PID:5968
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe107⤵PID:6008
-
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe108⤵PID:6056
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe109⤵PID:6100
-
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe111⤵PID:5200
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe112⤵PID:4160
-
C:\Windows\SysWOW64\Bllbaa32.exeC:\Windows\system32\Bllbaa32.exe113⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe114⤵PID:5372
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe115⤵PID:5444
-
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe116⤵PID:5496
-
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe117⤵PID:5556
-
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe118⤵PID:5612
-
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe120⤵PID:5772
-
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe121⤵
- Modifies registry class
PID:5828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-