Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe
Resource
win7-20240221-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe
-
Size
60KB
-
MD5
1d5ec5f97bae451127227db2b0135c40
-
SHA1
d11da20f0c12ef0b5dcf4e3fd6a4d10f51b68621
-
SHA256
72b7a422fba23237804c9976245c3a021bad84ceacb28584d058b62891bff668
-
SHA512
90b6fab633bfcc52be11f625dc492e28b5cebc3f581ea7c6832f6c687bedc4a195d0af5bc4e32f275d95ff4b79ae23fd5284ec9a0d2182b625e6be3b5540b43f
-
SSDEEP
1536:DUDkXcrWkqaH/AdPnDlzY2myn+JBsiuSJB86l1rs:IIsJnYhq2m/9umB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amejeljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhnli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfffnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe -
Executes dropped EXE 64 IoCs
pid Process 904 Lipjejgp.exe 3064 Ldenbcge.exe 2252 Lmnbkinf.exe 2708 Loooca32.exe 2952 Meigpkka.exe 2512 Mhgclfje.exe 2628 Mcmhiojk.exe 2780 Mhjpaf32.exe 2028 Mochnppo.exe 2000 Mabejlob.exe 2352 Mhlmgf32.exe 816 Mofecpnl.exe 1564 Mepnpj32.exe 2068 Mkmfhacp.exe 2856 Magnek32.exe 336 Mdejaf32.exe 3028 Mhqfbebj.exe 1796 Nnnojlpa.exe 1004 Naikkk32.exe 1548 Ndgggf32.exe 1792 Nkaocp32.exe 2864 Nnplpl32.exe 928 Npnhlg32.exe 2388 Ncmdhb32.exe 1500 Njgldmdc.exe 1768 Nqqdag32.exe 2684 Nfmmin32.exe 3004 Nlgefh32.exe 2652 Nqcagfim.exe 2476 Nbdnoo32.exe 2516 Nhnfkigh.exe 1532 Nkmbgdfl.exe 2772 Nbfjdn32.exe 2808 Ofbfdmeb.exe 1040 Ohqbqhde.exe 1952 Oojknblb.exe 788 Ofdcjm32.exe 2216 Oicpfh32.exe 1640 Okalbc32.exe 2556 Onphoo32.exe 1800 Odjpkihg.exe 1924 Ojficpfn.exe 292 Obnqem32.exe 1076 Oelmai32.exe 1704 Ocomlemo.exe 2148 Ogjimd32.exe 1688 Omgaek32.exe 2036 Oenifh32.exe 708 Ocajbekl.exe 1964 Ofpfnqjp.exe 2232 Ongnonkb.exe 2688 Paejki32.exe 2696 Pphjgfqq.exe 3044 Pgobhcac.exe 2624 Pjmodopf.exe 2580 Pmlkpjpj.exe 2692 Paggai32.exe 2648 Pcfcmd32.exe 2900 Pfdpip32.exe 1064 Piblek32.exe 2416 Pmnhfjmg.exe 2264 Ppmdbe32.exe 2312 Pbkpna32.exe 268 Pfflopdh.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 904 Lipjejgp.exe 904 Lipjejgp.exe 3064 Ldenbcge.exe 3064 Ldenbcge.exe 2252 Lmnbkinf.exe 2252 Lmnbkinf.exe 2708 Loooca32.exe 2708 Loooca32.exe 2952 Meigpkka.exe 2952 Meigpkka.exe 2512 Mhgclfje.exe 2512 Mhgclfje.exe 2628 Mcmhiojk.exe 2628 Mcmhiojk.exe 2780 Mhjpaf32.exe 2780 Mhjpaf32.exe 2028 Mochnppo.exe 2028 Mochnppo.exe 2000 Mabejlob.exe 2000 Mabejlob.exe 2352 Mhlmgf32.exe 2352 Mhlmgf32.exe 816 Mofecpnl.exe 816 Mofecpnl.exe 1564 Mepnpj32.exe 1564 Mepnpj32.exe 2068 Mkmfhacp.exe 2068 Mkmfhacp.exe 2856 Magnek32.exe 2856 Magnek32.exe 336 Mdejaf32.exe 336 Mdejaf32.exe 3028 Mhqfbebj.exe 3028 Mhqfbebj.exe 1796 Nnnojlpa.exe 1796 Nnnojlpa.exe 1004 Naikkk32.exe 1004 Naikkk32.exe 1548 Ndgggf32.exe 1548 Ndgggf32.exe 1792 Nkaocp32.exe 1792 Nkaocp32.exe 2864 Nnplpl32.exe 2864 Nnplpl32.exe 928 Npnhlg32.exe 928 Npnhlg32.exe 2388 Ncmdhb32.exe 2388 Ncmdhb32.exe 1500 Njgldmdc.exe 1500 Njgldmdc.exe 1768 Nqqdag32.exe 1768 Nqqdag32.exe 2684 Nfmmin32.exe 2684 Nfmmin32.exe 3004 Nlgefh32.exe 3004 Nlgefh32.exe 2652 Nqcagfim.exe 2652 Nqcagfim.exe 2476 Nbdnoo32.exe 2476 Nbdnoo32.exe 2516 Nhnfkigh.exe 2516 Nhnfkigh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Jbjochdi.exe Jokcgmee.exe File created C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File created C:\Windows\SysWOW64\Hkfmal32.dll Clomqk32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Kcbakpdo.exe File created C:\Windows\SysWOW64\Gjpmgg32.dll Djhphncm.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Djhphncm.exe Dgjclbdi.exe File opened for modification C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Lkcmiimi.dll Dkkpbgli.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jnqphi32.exe File created C:\Windows\SysWOW64\Fnnkng32.dll Bkommo32.exe File created C:\Windows\SysWOW64\Lipjejgp.exe 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Aadlib32.dll Oojknblb.exe File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Iggkllpe.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Lkiklhim.dll Magnek32.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bhahlj32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Piehkkcl.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bfenbpec.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cohigamf.exe File created C:\Windows\SysWOW64\Qjknnbed.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Iggkllpe.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File created C:\Windows\SysWOW64\Ahchbf32.exe Aplpai32.exe File opened for modification C:\Windows\SysWOW64\Mpbaebdd.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Chhjkl32.exe File created C:\Windows\SysWOW64\Nejiih32.exe Nncahjgl.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Kagdplnm.dll Mdejaf32.exe File created C:\Windows\SysWOW64\Cgcmfjnn.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Dlkepi32.exe Djmicm32.exe File created C:\Windows\SysWOW64\Nnplpl32.exe Nkaocp32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Ifclcknc.dll Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Oojknblb.exe Ohqbqhde.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Meagci32.exe File created C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File opened for modification C:\Windows\SysWOW64\Emieil32.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File opened for modification C:\Windows\SysWOW64\Kgkafo32.exe Kemejc32.exe File opened for modification C:\Windows\SysWOW64\Ddigjkid.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Mmjale32.dll Ekhhadmk.exe File created C:\Windows\SysWOW64\Pfflopdh.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Icmlam32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6280 6240 WerFault.exe 622 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Amndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqjpn32.dll" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebodiofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhigphio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohqbqhde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbjopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" Nkaocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfmmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loooca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjhccbfb.dll" Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknecn32.dll" Ojficpfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdooajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 904 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 904 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 904 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 28 PID 2412 wrote to memory of 904 2412 1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe 28 PID 904 wrote to memory of 3064 904 Lipjejgp.exe 29 PID 904 wrote to memory of 3064 904 Lipjejgp.exe 29 PID 904 wrote to memory of 3064 904 Lipjejgp.exe 29 PID 904 wrote to memory of 3064 904 Lipjejgp.exe 29 PID 3064 wrote to memory of 2252 3064 Ldenbcge.exe 30 PID 3064 wrote to memory of 2252 3064 Ldenbcge.exe 30 PID 3064 wrote to memory of 2252 3064 Ldenbcge.exe 30 PID 3064 wrote to memory of 2252 3064 Ldenbcge.exe 30 PID 2252 wrote to memory of 2708 2252 Lmnbkinf.exe 31 PID 2252 wrote to memory of 2708 2252 Lmnbkinf.exe 31 PID 2252 wrote to memory of 2708 2252 Lmnbkinf.exe 31 PID 2252 wrote to memory of 2708 2252 Lmnbkinf.exe 31 PID 2708 wrote to memory of 2952 2708 Loooca32.exe 32 PID 2708 wrote to memory of 2952 2708 Loooca32.exe 32 PID 2708 wrote to memory of 2952 2708 Loooca32.exe 32 PID 2708 wrote to memory of 2952 2708 Loooca32.exe 32 PID 2952 wrote to memory of 2512 2952 Meigpkka.exe 33 PID 2952 wrote to memory of 2512 2952 Meigpkka.exe 33 PID 2952 wrote to memory of 2512 2952 Meigpkka.exe 33 PID 2952 wrote to memory of 2512 2952 Meigpkka.exe 33 PID 2512 wrote to memory of 2628 2512 Mhgclfje.exe 34 PID 2512 wrote to memory of 2628 2512 Mhgclfje.exe 34 PID 2512 wrote to memory of 2628 2512 Mhgclfje.exe 34 PID 2512 wrote to memory of 2628 2512 Mhgclfje.exe 34 PID 2628 wrote to memory of 2780 2628 Mcmhiojk.exe 35 PID 2628 wrote to memory of 2780 2628 Mcmhiojk.exe 35 PID 2628 wrote to memory of 2780 2628 Mcmhiojk.exe 35 PID 2628 wrote to memory of 2780 2628 Mcmhiojk.exe 35 PID 2780 wrote to memory of 2028 2780 Mhjpaf32.exe 36 PID 2780 wrote to memory of 2028 2780 Mhjpaf32.exe 36 PID 2780 wrote to memory of 2028 2780 Mhjpaf32.exe 36 PID 2780 wrote to memory of 2028 2780 Mhjpaf32.exe 36 PID 2028 wrote to memory of 2000 2028 Mochnppo.exe 37 PID 2028 wrote to memory of 2000 2028 Mochnppo.exe 37 PID 2028 wrote to memory of 2000 2028 Mochnppo.exe 37 PID 2028 wrote to memory of 2000 2028 Mochnppo.exe 37 PID 2000 wrote to memory of 2352 2000 Mabejlob.exe 38 PID 2000 wrote to memory of 2352 2000 Mabejlob.exe 38 PID 2000 wrote to memory of 2352 2000 Mabejlob.exe 38 PID 2000 wrote to memory of 2352 2000 Mabejlob.exe 38 PID 2352 wrote to memory of 816 2352 Mhlmgf32.exe 39 PID 2352 wrote to memory of 816 2352 Mhlmgf32.exe 39 PID 2352 wrote to memory of 816 2352 Mhlmgf32.exe 39 PID 2352 wrote to memory of 816 2352 Mhlmgf32.exe 39 PID 816 wrote to memory of 1564 816 Mofecpnl.exe 40 PID 816 wrote to memory of 1564 816 Mofecpnl.exe 40 PID 816 wrote to memory of 1564 816 Mofecpnl.exe 40 PID 816 wrote to memory of 1564 816 Mofecpnl.exe 40 PID 1564 wrote to memory of 2068 1564 Mepnpj32.exe 41 PID 1564 wrote to memory of 2068 1564 Mepnpj32.exe 41 PID 1564 wrote to memory of 2068 1564 Mepnpj32.exe 41 PID 1564 wrote to memory of 2068 1564 Mepnpj32.exe 41 PID 2068 wrote to memory of 2856 2068 Mkmfhacp.exe 42 PID 2068 wrote to memory of 2856 2068 Mkmfhacp.exe 42 PID 2068 wrote to memory of 2856 2068 Mkmfhacp.exe 42 PID 2068 wrote to memory of 2856 2068 Mkmfhacp.exe 42 PID 2856 wrote to memory of 336 2856 Magnek32.exe 43 PID 2856 wrote to memory of 336 2856 Magnek32.exe 43 PID 2856 wrote to memory of 336 2856 Magnek32.exe 43 PID 2856 wrote to memory of 336 2856 Magnek32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d5ec5f97bae451127227db2b0135c40_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe33⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe38⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe39⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe41⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe42⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe44⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe45⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe46⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe47⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe48⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe49⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe50⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe53⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe54⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe55⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe57⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe59⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe60⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe61⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe63⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe65⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe66⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe67⤵PID:1108
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe68⤵PID:3008
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe69⤵PID:2152
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe70⤵PID:1944
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe71⤵PID:1252
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe72⤵PID:2384
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe73⤵PID:2196
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe74⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe75⤵PID:2560
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe76⤵PID:2800
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe77⤵PID:2956
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe78⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe79⤵PID:2548
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe80⤵PID:2920
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe81⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe82⤵PID:1656
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe83⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe84⤵PID:2144
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe85⤵PID:1492
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe86⤵PID:2964
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe87⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe89⤵PID:1264
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe90⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe91⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe92⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe93⤵PID:2468
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe94⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe95⤵PID:1956
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe96⤵PID:2044
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe97⤵PID:2236
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe98⤵PID:1988
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe99⤵PID:1596
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe100⤵PID:2992
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe101⤵PID:580
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe102⤵PID:1664
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe103⤵PID:2428
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe104⤵PID:1872
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe106⤵PID:1132
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe107⤵PID:2584
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe108⤵PID:2472
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe109⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe110⤵PID:2744
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe111⤵PID:1948
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe112⤵PID:1828
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe113⤵PID:2088
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe114⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe115⤵PID:2432
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe116⤵PID:624
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe117⤵PID:2064
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe118⤵PID:1996
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe119⤵PID:2980
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe120⤵PID:2576
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe121⤵PID:860
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-