Analysis
-
max time kernel
164s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe
-
Size
768KB
-
MD5
c0d1fc543d190593786d0eb695666fd0
-
SHA1
bcc9dbe371e7aaec8059d2d148756d2132c3c4d6
-
SHA256
0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34
-
SHA512
abb1376c1d3ba67983f0838ce91380887143386e058dceeec3d4858d9bca50388b80fb5a9b2dd6599c1b6f4702515ce039ed64ae92244067ffadaada17029198
-
SSDEEP
12288:pAvH6IvYvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl888888888888888888nug:y3q5hPPh2kkkkK4kXkkkkkkkkH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emanepld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eceoanpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpfokpoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecgcfmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppjnpem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkagndmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppedpkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abflfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onifpodl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gofkckoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkenkhec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qajhigcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhijjll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdnld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcedbjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffljjfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhdkajh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaeli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdegkdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hijohoki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdgjlgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlefebfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqdbfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkbnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnheggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oendaipn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmpdmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgfmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnpdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginenk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfglahbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggikk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nngoddkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmangnmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hagnihom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehimkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaedk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjelo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeelnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biolkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqdodo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elhnhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklpaeno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihbpalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihagfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbcbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmllgjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbgeb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4848 Cejaobel.exe 1820 Fibfbm32.exe 796 Ginenk32.exe 1396 Hllkqdli.exe 3656 Ihjafd32.exe 4700 Jqklnp32.exe 1440 Kqdodo32.exe 4748 Mmpbkm32.exe 1404 Nplkhf32.exe 2172 Ogpfko32.exe 1020 Odhppclh.exe 3032 Aaofedkl.exe 3632 Aqdbfa32.exe 4256 Abdoqd32.exe 1800 Abflfc32.exe 1848 Kicfijal.exe 1928 Kkdoje32.exe 4300 Mmdekf32.exe 2344 Mfofjk32.exe 4764 Npgjbabk.exe 228 Nffljjfc.exe 5016 Ndjldo32.exe 1828 Olgnnqpe.exe 4228 Ojhnlh32.exe 3312 Opjponbf.exe 1040 Obkiqi32.exe 1140 Pdjeklfj.exe 2748 Pgmkbg32.exe 4340 Pljcjn32.exe 1044 Pkkdhe32.exe 3168 Pdchakoo.exe 4492 Qmlmjq32.exe 4216 Alcfpm32.exe 3400 Admkgifd.exe 2348 Alhpkldp.exe 4932 Adadbi32.exe 572 Akkmocjl.exe 2004 Bnobfn32.exe 1484 Blflmj32.exe 3352 Bcpdidol.exe 1324 Bnehgmob.exe 1600 Cmkehicj.exe 872 Cgpjebcp.exe 2228 Ccgjjc32.exe 2784 Dmfecgim.exe 2316 Dcqmpa32.exe 2012 Djjemlhf.exe 4476 Dccjfaog.exe 1112 Dnhncjom.exe 4560 Dcegkamd.exe 1192 Dcgcaq32.exe 4664 Dmphjfab.exe 1152 Egelgoah.exe 4424 Ejfeij32.exe 5028 Egjebn32.exe 3388 Eabjkdcc.exe 4004 Elhnhm32.exe 2612 Ecccmo32.exe 3304 Fcjimnjl.exe 4272 Gjkgkg32.exe 4000 Gaepgacn.exe 4388 Glajeiml.exe 800 Hklpaeno.exe 4692 Hlkmlhea.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkohln32.exe Lfbpcgbl.exe File opened for modification C:\Windows\SysWOW64\Dofgklcb.exe Djjobedk.exe File created C:\Windows\SysWOW64\Dgdeikmo.dll Mhpeelnd.exe File created C:\Windows\SysWOW64\Bkkkif32.dll Negoaj32.exe File created C:\Windows\SysWOW64\Hjgedjco.dll Boknic32.exe File created C:\Windows\SysWOW64\Gnagco32.dll Gjkgkg32.exe File created C:\Windows\SysWOW64\Mkdjpbad.dll Cdiohhbm.exe File opened for modification C:\Windows\SysWOW64\Lpcedbjp.exe Liimgh32.exe File opened for modification C:\Windows\SysWOW64\Pdchakoo.exe Pkkdhe32.exe File created C:\Windows\SysWOW64\Gpelchhp.exe Gjhdkajh.exe File created C:\Windows\SysWOW64\Jgdphm32.exe Jgbccm32.exe File created C:\Windows\SysWOW64\Mgjkag32.exe Mhenpk32.exe File created C:\Windows\SysWOW64\Deeipj32.dll Ejpnin32.exe File opened for modification C:\Windows\SysWOW64\Bblcda32.exe Blakhgoo.exe File opened for modification C:\Windows\SysWOW64\Pdjeklfj.exe Obkiqi32.exe File created C:\Windows\SysWOW64\Kpnheh32.dll Dcmjpl32.exe File created C:\Windows\SysWOW64\Jncapf32.exe Jgiiclkl.exe File opened for modification C:\Windows\SysWOW64\Ibgmldnd.exe Ikmepj32.exe File created C:\Windows\SysWOW64\Pmdkmnkd.exe Pggbdgmm.exe File created C:\Windows\SysWOW64\Pbnanfnm.dll Ginenk32.exe File opened for modification C:\Windows\SysWOW64\Hppedpkf.exe Hifmhf32.exe File created C:\Windows\SysWOW64\Aonapp32.dll Qebpipij.exe File created C:\Windows\SysWOW64\Hbpgle32.exe Hmcocn32.exe File opened for modification C:\Windows\SysWOW64\Admkgifd.exe Alcfpm32.exe File created C:\Windows\SysWOW64\Dcqmpa32.exe Dmfecgim.exe File opened for modification C:\Windows\SysWOW64\Oijgmokc.exe Nppfnige.exe File opened for modification C:\Windows\SysWOW64\Hbpgle32.exe Hmcocn32.exe File created C:\Windows\SysWOW64\Bckecf32.dll Npkmcj32.exe File created C:\Windows\SysWOW64\Giliddlo.dll Hfajlp32.exe File opened for modification C:\Windows\SysWOW64\Lgnekcei.exe Laqlclga.exe File created C:\Windows\SysWOW64\Oeaadmkh.dll Fbkdjh32.exe File created C:\Windows\SysWOW64\Hpfdkiac.exe Hillnoif.exe File created C:\Windows\SysWOW64\Blflmj32.exe Bnobfn32.exe File opened for modification C:\Windows\SysWOW64\Idhgkcln.exe Iokocmnf.exe File opened for modification C:\Windows\SysWOW64\Ipohpdbb.exe Ionlhlld.exe File created C:\Windows\SysWOW64\Onifpodl.exe Ogoncd32.exe File created C:\Windows\SysWOW64\Mdhkefnj.exe Mahbck32.exe File opened for modification C:\Windows\SysWOW64\Eoaianan.exe Eolpfo32.exe File opened for modification C:\Windows\SysWOW64\Dkbgeb32.exe Cdiohhbm.exe File created C:\Windows\SysWOW64\Goconkah.exe Ghjfaa32.exe File opened for modification C:\Windows\SysWOW64\Olgnnqpe.exe Ndjldo32.exe File created C:\Windows\SysWOW64\Nmeikqpi.dll Hklpaeno.exe File created C:\Windows\SysWOW64\Mlgpjh32.dll Boaeioej.exe File created C:\Windows\SysWOW64\Dnqaheai.exe Cggikk32.exe File created C:\Windows\SysWOW64\Fdqcaihb.dll Lhiodm32.exe File created C:\Windows\SysWOW64\Mqkijnkp.exe Mojmbf32.exe File created C:\Windows\SysWOW64\Kblfejda.dll Ogpfko32.exe File created C:\Windows\SysWOW64\Eonmkkmj.exe Enlqdc32.exe File created C:\Windows\SysWOW64\Befkma32.dll Qecgcfmf.exe File opened for modification C:\Windows\SysWOW64\Mncmck32.exe Mcnhfb32.exe File opened for modification C:\Windows\SysWOW64\Hdgmga32.exe Gokdoj32.exe File created C:\Windows\SysWOW64\Ikmepj32.exe Ifplgc32.exe File opened for modification C:\Windows\SysWOW64\Njnpie32.exe Ncdgmkio.exe File opened for modification C:\Windows\SysWOW64\Bcpdidol.exe Blflmj32.exe File created C:\Windows\SysWOW64\Mieeka32.exe Mbkmngfn.exe File created C:\Windows\SysWOW64\Djjobedk.exe Dcpffk32.exe File opened for modification C:\Windows\SysWOW64\Hdlhoefk.exe Gadimkpb.exe File created C:\Windows\SysWOW64\Ddfbadcc.dll Pbpall32.exe File opened for modification C:\Windows\SysWOW64\Ncdgmkio.exe Nngoddkg.exe File opened for modification C:\Windows\SysWOW64\Poelfc32.exe Oijgmokc.exe File created C:\Windows\SysWOW64\Fgnihmpg.dll Efgehe32.exe File created C:\Windows\SysWOW64\Qfolkcpb.exe Pncggqbg.exe File created C:\Windows\SysWOW64\Bbkbabje.dll Bnehgmob.exe File created C:\Windows\SysWOW64\Balfko32.exe Bjbnndgl.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1820 8352 WerFault.exe 450 6284 8352 WerFault.exe 450 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpbkiog.dll" Bhppap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfbpfedp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjkhmqm.dll" Nlefebfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifejakcn.dll" Dfqogfjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efgehe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjnanih.dll" Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djjemlhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamjca32.dll" Dofgklcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgmkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdpdkkf.dll" Haeadi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likmhk32.dll" Cbefkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdnolh.dll" Ndcdfnpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqaheai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcheaong.dll" Hagnihom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khifno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdlpnie.dll" Dokqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnccmnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnhncjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfnqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjebg32.dll" Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjkqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenhmaeh.dll" Nocphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfcdcfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfcfl32.dll" Bnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eabjkdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npkmcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdegkdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmggj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihagfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jondojna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoaianan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpenp32.dll" Fgencf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaajfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkagndmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obbekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpfokpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cggikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgplai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdbam32.dll" Oqakln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqlclga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfeiedhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfninn32.dll" Nqdlpmce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldjodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnmajl32.dll" Bniacddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldblon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocphd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcpffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjhdkajh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadimkpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoaianan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcaqohc.dll" Fpbpmhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdfmcobk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnmhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlocei32.dll" Ikmepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nngoddkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjnljjm.dll" Pgmkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnlgn32.dll" Obgofmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnccmnak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpdfdaa.dll" Blflmj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4848 5076 0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe 93 PID 5076 wrote to memory of 4848 5076 0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe 93 PID 5076 wrote to memory of 4848 5076 0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe 93 PID 4848 wrote to memory of 1820 4848 Cejaobel.exe 94 PID 4848 wrote to memory of 1820 4848 Cejaobel.exe 94 PID 4848 wrote to memory of 1820 4848 Cejaobel.exe 94 PID 1820 wrote to memory of 796 1820 Fibfbm32.exe 95 PID 1820 wrote to memory of 796 1820 Fibfbm32.exe 95 PID 1820 wrote to memory of 796 1820 Fibfbm32.exe 95 PID 796 wrote to memory of 1396 796 Ginenk32.exe 96 PID 796 wrote to memory of 1396 796 Ginenk32.exe 96 PID 796 wrote to memory of 1396 796 Ginenk32.exe 96 PID 1396 wrote to memory of 3656 1396 Hllkqdli.exe 97 PID 1396 wrote to memory of 3656 1396 Hllkqdli.exe 97 PID 1396 wrote to memory of 3656 1396 Hllkqdli.exe 97 PID 3656 wrote to memory of 4700 3656 Ihjafd32.exe 98 PID 3656 wrote to memory of 4700 3656 Ihjafd32.exe 98 PID 3656 wrote to memory of 4700 3656 Ihjafd32.exe 98 PID 4700 wrote to memory of 1440 4700 Jqklnp32.exe 99 PID 4700 wrote to memory of 1440 4700 Jqklnp32.exe 99 PID 4700 wrote to memory of 1440 4700 Jqklnp32.exe 99 PID 1440 wrote to memory of 4748 1440 Kqdodo32.exe 100 PID 1440 wrote to memory of 4748 1440 Kqdodo32.exe 100 PID 1440 wrote to memory of 4748 1440 Kqdodo32.exe 100 PID 4748 wrote to memory of 1404 4748 Mmpbkm32.exe 101 PID 4748 wrote to memory of 1404 4748 Mmpbkm32.exe 101 PID 4748 wrote to memory of 1404 4748 Mmpbkm32.exe 101 PID 1404 wrote to memory of 2172 1404 Nplkhf32.exe 102 PID 1404 wrote to memory of 2172 1404 Nplkhf32.exe 102 PID 1404 wrote to memory of 2172 1404 Nplkhf32.exe 102 PID 2172 wrote to memory of 1020 2172 Ogpfko32.exe 104 PID 2172 wrote to memory of 1020 2172 Ogpfko32.exe 104 PID 2172 wrote to memory of 1020 2172 Ogpfko32.exe 104 PID 1020 wrote to memory of 3032 1020 Odhppclh.exe 105 PID 1020 wrote to memory of 3032 1020 Odhppclh.exe 105 PID 1020 wrote to memory of 3032 1020 Odhppclh.exe 105 PID 3032 wrote to memory of 3632 3032 Aaofedkl.exe 106 PID 3032 wrote to memory of 3632 3032 Aaofedkl.exe 106 PID 3032 wrote to memory of 3632 3032 Aaofedkl.exe 106 PID 3632 wrote to memory of 4256 3632 Aqdbfa32.exe 107 PID 3632 wrote to memory of 4256 3632 Aqdbfa32.exe 107 PID 3632 wrote to memory of 4256 3632 Aqdbfa32.exe 107 PID 4256 wrote to memory of 1800 4256 Abdoqd32.exe 108 PID 4256 wrote to memory of 1800 4256 Abdoqd32.exe 108 PID 4256 wrote to memory of 1800 4256 Abdoqd32.exe 108 PID 1800 wrote to memory of 1848 1800 Abflfc32.exe 109 PID 1800 wrote to memory of 1848 1800 Abflfc32.exe 109 PID 1800 wrote to memory of 1848 1800 Abflfc32.exe 109 PID 1848 wrote to memory of 1928 1848 Kicfijal.exe 370 PID 1848 wrote to memory of 1928 1848 Kicfijal.exe 370 PID 1848 wrote to memory of 1928 1848 Kicfijal.exe 370 PID 1928 wrote to memory of 4300 1928 Kkdoje32.exe 111 PID 1928 wrote to memory of 4300 1928 Kkdoje32.exe 111 PID 1928 wrote to memory of 4300 1928 Kkdoje32.exe 111 PID 4300 wrote to memory of 2344 4300 Mmdekf32.exe 112 PID 4300 wrote to memory of 2344 4300 Mmdekf32.exe 112 PID 4300 wrote to memory of 2344 4300 Mmdekf32.exe 112 PID 2344 wrote to memory of 4764 2344 Mfofjk32.exe 113 PID 2344 wrote to memory of 4764 2344 Mfofjk32.exe 113 PID 2344 wrote to memory of 4764 2344 Mfofjk32.exe 113 PID 4764 wrote to memory of 228 4764 Npgjbabk.exe 374 PID 4764 wrote to memory of 228 4764 Npgjbabk.exe 374 PID 4764 wrote to memory of 228 4764 Npgjbabk.exe 374 PID 228 wrote to memory of 5016 228 Nffljjfc.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0ad3c7803a003628a64d340ee586b78bafb28b76b908a9ff52a1ea6299abff34_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Fibfbm32.exeC:\Windows\system32\Fibfbm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Hllkqdli.exeC:\Windows\system32\Hllkqdli.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Ihjafd32.exeC:\Windows\system32\Ihjafd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Kqdodo32.exeC:\Windows\system32\Kqdodo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Mmpbkm32.exeC:\Windows\system32\Mmpbkm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Aqdbfa32.exeC:\Windows\system32\Aqdbfa32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Mmdekf32.exeC:\Windows\system32\Mmdekf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Mfofjk32.exeC:\Windows\system32\Mfofjk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe24⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ojhnlh32.exeC:\Windows\system32\Ojhnlh32.exe25⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Opjponbf.exeC:\Windows\system32\Opjponbf.exe26⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Obkiqi32.exeC:\Windows\system32\Obkiqi32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Pdjeklfj.exeC:\Windows\system32\Pdjeklfj.exe28⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Pgmkbg32.exeC:\Windows\system32\Pgmkbg32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe30⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Pkkdhe32.exeC:\Windows\system32\Pkkdhe32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Pdchakoo.exeC:\Windows\system32\Pdchakoo.exe32⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Qmlmjq32.exeC:\Windows\system32\Qmlmjq32.exe33⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4216 -
C:\Windows\SysWOW64\Admkgifd.exeC:\Windows\system32\Admkgifd.exe35⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Alhpkldp.exeC:\Windows\system32\Alhpkldp.exe36⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Adadbi32.exeC:\Windows\system32\Adadbi32.exe37⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Akkmocjl.exeC:\Windows\system32\Akkmocjl.exe38⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Blflmj32.exeC:\Windows\system32\Blflmj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Bcpdidol.exeC:\Windows\system32\Bcpdidol.exe41⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe43⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe44⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Ccgjjc32.exeC:\Windows\system32\Ccgjjc32.exe45⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Dcqmpa32.exeC:\Windows\system32\Dcqmpa32.exe47⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Djjemlhf.exeC:\Windows\system32\Djjemlhf.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Dccjfaog.exeC:\Windows\system32\Dccjfaog.exe49⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Dnhncjom.exeC:\Windows\system32\Dnhncjom.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe51⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Dcgcaq32.exeC:\Windows\system32\Dcgcaq32.exe52⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe53⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe54⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Ejfeij32.exeC:\Windows\system32\Ejfeij32.exe55⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe56⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Eabjkdcc.exeC:\Windows\system32\Eabjkdcc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:3388 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Ecccmo32.exeC:\Windows\system32\Ecccmo32.exe59⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Fcjimnjl.exeC:\Windows\system32\Fcjimnjl.exe60⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Gjkgkg32.exeC:\Windows\system32\Gjkgkg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4272 -
C:\Windows\SysWOW64\Gaepgacn.exeC:\Windows\system32\Gaepgacn.exe62⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Glajeiml.exeC:\Windows\system32\Glajeiml.exe63⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Hklpaeno.exeC:\Windows\system32\Hklpaeno.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Hlkmlhea.exeC:\Windows\system32\Hlkmlhea.exe65⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Hdfapjbl.exeC:\Windows\system32\Hdfapjbl.exe66⤵PID:4092
-
C:\Windows\SysWOW64\Idmhqi32.exeC:\Windows\system32\Idmhqi32.exe67⤵PID:2160
-
C:\Windows\SysWOW64\Jklihbol.exeC:\Windows\system32\Jklihbol.exe68⤵PID:3044
-
C:\Windows\SysWOW64\Jookjpam.exeC:\Windows\system32\Jookjpam.exe69⤵PID:4336
-
C:\Windows\SysWOW64\Kkhidaeo.exeC:\Windows\system32\Kkhidaeo.exe70⤵PID:548
-
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe71⤵PID:4728
-
C:\Windows\SysWOW64\Lfbpcgbl.exeC:\Windows\system32\Lfbpcgbl.exe72⤵
- Drops file in System32 directory
PID:4456 -
C:\Windows\SysWOW64\Mkohln32.exeC:\Windows\system32\Mkohln32.exe73⤵PID:4304
-
C:\Windows\SysWOW64\Mfdlif32.exeC:\Windows\system32\Mfdlif32.exe74⤵PID:4448
-
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe75⤵PID:3348
-
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe76⤵
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Mieeka32.exeC:\Windows\system32\Mieeka32.exe77⤵PID:3924
-
C:\Windows\SysWOW64\Mnbnchlb.exeC:\Windows\system32\Mnbnchlb.exe78⤵PID:1552
-
C:\Windows\SysWOW64\Mihbpalh.exeC:\Windows\system32\Mihbpalh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4516 -
C:\Windows\SysWOW64\Mbpfig32.exeC:\Windows\system32\Mbpfig32.exe80⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Mkhkblii.exeC:\Windows\system32\Mkhkblii.exe81⤵PID:5140
-
C:\Windows\SysWOW64\Neaokboj.exeC:\Windows\system32\Neaokboj.exe82⤵PID:5180
-
C:\Windows\SysWOW64\Npfchkop.exeC:\Windows\system32\Npfchkop.exe83⤵PID:5224
-
C:\Windows\SysWOW64\Neclpamg.exeC:\Windows\system32\Neclpamg.exe84⤵PID:5264
-
C:\Windows\SysWOW64\Npipnjmm.exeC:\Windows\system32\Npipnjmm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5304 -
C:\Windows\SysWOW64\Nfchjddj.exeC:\Windows\system32\Nfchjddj.exe86⤵PID:5348
-
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Nehekq32.exeC:\Windows\system32\Nehekq32.exe88⤵PID:5432
-
C:\Windows\SysWOW64\Npmjij32.exeC:\Windows\system32\Npmjij32.exe89⤵PID:5476
-
C:\Windows\SysWOW64\Nejbaqgo.exeC:\Windows\system32\Nejbaqgo.exe90⤵PID:5516
-
C:\Windows\SysWOW64\Nppfnige.exeC:\Windows\system32\Nppfnige.exe91⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Oijgmokc.exeC:\Windows\system32\Oijgmokc.exe92⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Poelfc32.exeC:\Windows\system32\Poelfc32.exe93⤵PID:5672
-
C:\Windows\SysWOW64\Pbcelacq.exeC:\Windows\system32\Pbcelacq.exe94⤵PID:5720
-
C:\Windows\SysWOW64\Abmhbplf.exeC:\Windows\system32\Abmhbplf.exe95⤵PID:5844
-
C:\Windows\SysWOW64\Bipcei32.exeC:\Windows\system32\Bipcei32.exe96⤵PID:5892
-
C:\Windows\SysWOW64\Blqlgdhi.exeC:\Windows\system32\Blqlgdhi.exe97⤵PID:5936
-
C:\Windows\SysWOW64\Boaeioej.exeC:\Windows\system32\Boaeioej.exe98⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Clohhbli.exeC:\Windows\system32\Clohhbli.exe99⤵PID:6028
-
C:\Windows\SysWOW64\Cfglahbj.exeC:\Windows\system32\Cfglahbj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Cpmqoqbp.exeC:\Windows\system32\Cpmqoqbp.exe101⤵PID:6108
-
C:\Windows\SysWOW64\Cggikk32.exeC:\Windows\system32\Cggikk32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Dnqaheai.exeC:\Windows\system32\Dnqaheai.exe103⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe104⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe105⤵PID:5332
-
C:\Windows\SysWOW64\Dcpffk32.exeC:\Windows\system32\Dcpffk32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Djjobedk.exeC:\Windows\system32\Djjobedk.exe107⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe108⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Dfqogfjo.exeC:\Windows\system32\Dfqogfjo.exe109⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Dqfceoje.exeC:\Windows\system32\Dqfceoje.exe110⤵PID:5624
-
C:\Windows\SysWOW64\Dgplai32.exeC:\Windows\system32\Dgplai32.exe111⤵
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Dnjdncio.exeC:\Windows\system32\Dnjdncio.exe112⤵PID:5756
-
C:\Windows\SysWOW64\Dokqfl32.exeC:\Windows\system32\Dokqfl32.exe113⤵
- Modifies registry class
PID:5856 -
C:\Windows\SysWOW64\Enlqdc32.exeC:\Windows\system32\Enlqdc32.exe114⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe115⤵PID:5976
-
C:\Windows\SysWOW64\Efgehe32.exeC:\Windows\system32\Efgehe32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Emanepld.exeC:\Windows\system32\Emanepld.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5876 -
C:\Windows\SysWOW64\Fakfglhm.exeC:\Windows\system32\Fakfglhm.exe118⤵PID:5176
-
C:\Windows\SysWOW64\Fgencf32.exeC:\Windows\system32\Fgencf32.exe119⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Fmbflm32.exeC:\Windows\system32\Fmbflm32.exe120⤵PID:5464
-
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe121⤵PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-