Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 22:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe
-
Size
96KB
-
MD5
21debd1fa3793e6df7b339ccab657a20
-
SHA1
dcb2ff6bcbe001ee22db80ce2af77426de33ad84
-
SHA256
719ffbc95583f66f24a9b2ebe9543b5f77ea7fe2440dcc89c14fb5eb8a7a588e
-
SHA512
52f6111d79c40f8dadad4c0eb24d61a0cb03e3a5873563d113d4ec203c8b3865e979c43c30b64943f44e10c353075c2f9e1aa79dd55dc4f22581d0b88c298a1b
-
SSDEEP
1536:yVh3R+4Nd7rS1KbOX7cexpNt2LkO7RZObZUUWaegPYA:WJR/d7r8KbOLrADClUUWae
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiodmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkombfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdfbfdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocegdjij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflgmqhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlijfneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klifnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aealah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaadfkgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkdcie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acocaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeklag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqlfkmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekhneap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmhlekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1956 Ldkojb32.exe 4560 Lgikfn32.exe 4808 Lmccchkn.exe 3536 Laopdgcg.exe 3144 Ldmlpbbj.exe 2892 Lcpllo32.exe 4608 Lkgdml32.exe 2208 Lnepih32.exe 1620 Lpcmec32.exe 1460 Ldohebqh.exe 4968 Lgneampk.exe 3920 Lilanioo.exe 1016 Laciofpa.exe 4896 Ldaeka32.exe 4948 Lcdegnep.exe 3172 Lklnhlfb.exe 3264 Lnjjdgee.exe 452 Laefdf32.exe 848 Lddbqa32.exe 432 Lcgblncm.exe 1264 Lgbnmm32.exe 1132 Mjqjih32.exe 3228 Mahbje32.exe 2876 Mdfofakp.exe 4120 Mgekbljc.exe 2564 Mkpgck32.exe 4108 Mnocof32.exe 2336 Majopeii.exe 2752 Mpmokb32.exe 2772 Mcklgm32.exe 4944 Mgghhlhq.exe 2796 Mjeddggd.exe 4452 Mamleegg.exe 4776 Mpolqa32.exe 3008 Mcnhmm32.exe 4520 Mgidml32.exe 4624 Mjhqjg32.exe 3708 Mncmjfmk.exe 3448 Maohkd32.exe 3656 Mdmegp32.exe 1064 Mcpebmkb.exe 2704 Mglack32.exe 3748 Mjjmog32.exe 4352 Mnfipekh.exe 3968 Maaepd32.exe 756 Mdpalp32.exe 4220 Mcbahlip.exe 3408 Mgnnhk32.exe 1580 Njljefql.exe 4800 Nnhfee32.exe 4224 Nacbfdao.exe 3712 Nqfbaq32.exe 4740 Ndbnboqb.exe 4784 Nklfoi32.exe 2128 Njogjfoj.exe 1916 Nnjbke32.exe 1616 Nafokcol.exe 1876 Nddkgonp.exe 1676 Ncgkcl32.exe 1088 Nkncdifl.exe 2416 Njacpf32.exe 2744 Nbhkac32.exe 1608 Nqklmpdd.exe 1276 Ndghmo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehjlaaig.exe Eaqdegaj.exe File created C:\Windows\SysWOW64\Fipbdikp.exe Fgbfhmll.exe File created C:\Windows\SysWOW64\Legjmh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkenjh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lgccinoe.exe Process not Found File created C:\Windows\SysWOW64\Cpfoag32.dll Process not Found File created C:\Windows\SysWOW64\Icplcpgo.exe Ipdqba32.exe File created C:\Windows\SysWOW64\Lehaho32.exe Lfealaol.exe File opened for modification C:\Windows\SysWOW64\Enhpao32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbdgfa32.exe Gcagkdba.exe File opened for modification C:\Windows\SysWOW64\Ahcajk32.exe Process not Found File created C:\Windows\SysWOW64\Cdlqqcnl.exe Process not Found File created C:\Windows\SysWOW64\Kcidmkpq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pkfblfab.exe Pgjfkg32.exe File created C:\Windows\SysWOW64\Fomhdg32.exe Flnlhk32.exe File opened for modification C:\Windows\SysWOW64\Ihmfco32.exe Process not Found File created C:\Windows\SysWOW64\Gkoafbld.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qmgelf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Gahcmd32.exe File opened for modification C:\Windows\SysWOW64\Jhijqj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjjghcfp.exe Process not Found File created C:\Windows\SysWOW64\Acigfpbp.dll Process not Found File created C:\Windows\SysWOW64\Kigcfhbi.dll Process not Found File created C:\Windows\SysWOW64\Dgfpihkg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Iehfdi32.exe Ifefimom.exe File created C:\Windows\SysWOW64\Cmnmphdf.dll Mfjcnold.exe File created C:\Windows\SysWOW64\Bgeaifia.exe Bciehh32.exe File created C:\Windows\SysWOW64\Aggamk32.dll Bifmqo32.exe File created C:\Windows\SysWOW64\Lankbigo.exe Process not Found File created C:\Windows\SysWOW64\Dakipgan.dll Kefkme32.exe File opened for modification C:\Windows\SysWOW64\Chmndlge.exe Cabfga32.exe File created C:\Windows\SysWOW64\Eofbch32.exe Ekjfcipa.exe File created C:\Windows\SysWOW64\Mjljbfog.dll Fkciihgg.exe File created C:\Windows\SysWOW64\Emcbio32.exe Eopbnbhd.exe File created C:\Windows\SysWOW64\Ikncgkdf.dll Oileggkb.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Process not Found File created C:\Windows\SysWOW64\Bpdnjple.exe Process not Found File created C:\Windows\SysWOW64\Bacjdbch.exe Process not Found File created C:\Windows\SysWOW64\Dadeieea.exe Dbaemi32.exe File opened for modification C:\Windows\SysWOW64\Ieolehop.exe Ifllil32.exe File created C:\Windows\SysWOW64\Kgngca32.dll Qceiaa32.exe File created C:\Windows\SysWOW64\Bddchh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cdainc32.exe Ceoibflm.exe File created C:\Windows\SysWOW64\Iikhfg32.exe Ieolehop.exe File created C:\Windows\SysWOW64\Bjeehbgh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ploknb32.exe Ookjdn32.exe File created C:\Windows\SysWOW64\Oipckj32.dll Process not Found File created C:\Windows\SysWOW64\Omjpeo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gfgjgo32.exe Gblngpbd.exe File created C:\Windows\SysWOW64\Mioodgbj.dll Bjlgdc32.exe File created C:\Windows\SysWOW64\Hjcakafa.dll Process not Found File created C:\Windows\SysWOW64\Ajndioga.exe Process not Found File created C:\Windows\SysWOW64\Iepaaico.exe Process not Found File opened for modification C:\Windows\SysWOW64\Plhnda32.exe Phjenbhp.exe File opened for modification C:\Windows\SysWOW64\Dfhjkabi.exe Dgejpd32.exe File created C:\Windows\SysWOW64\Hlhbih32.dll Process not Found File created C:\Windows\SysWOW64\Ceohefin.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ibjjhn32.exe Icgjmapi.exe File created C:\Windows\SysWOW64\Kbpbed32.exe Knefeffd.exe File created C:\Windows\SysWOW64\Bgpmhl32.dll Ikbnacmd.exe File created C:\Windows\SysWOW64\Madnnmem.dll Lmppcbjd.exe File created C:\Windows\SysWOW64\Lhncdi32.exe Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Mifcejnj.exe Mekgdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14340 18604 Process not Found 2088 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpjphglm.dll" Bhdbhcck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhnbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljcnd32.dll" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhblne32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll" Ekcpbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfjjppmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamlecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkmckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddchh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noeocqni.dll" Mlpeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpimcmab.dll" Cpglnhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idajkk32.dll" Hkeaqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibifp32.dll" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll" Klgqcqkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbceejpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llelopkl.dll" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nafokcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" Ibcmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkjmn32.dll" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjnmo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjfkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhgpa32.dll" Eekaebcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlqomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghmkm32.dll" Lpkiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icndnfbg.dll" Bogcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcddpdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" Oflgep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaopkj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfbfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbqlfkmi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1468 wrote to memory of 1956 1468 21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe 82 PID 1468 wrote to memory of 1956 1468 21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe 82 PID 1468 wrote to memory of 1956 1468 21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe 82 PID 1956 wrote to memory of 4560 1956 Ldkojb32.exe 83 PID 1956 wrote to memory of 4560 1956 Ldkojb32.exe 83 PID 1956 wrote to memory of 4560 1956 Ldkojb32.exe 83 PID 4560 wrote to memory of 4808 4560 Lgikfn32.exe 84 PID 4560 wrote to memory of 4808 4560 Lgikfn32.exe 84 PID 4560 wrote to memory of 4808 4560 Lgikfn32.exe 84 PID 4808 wrote to memory of 3536 4808 Lmccchkn.exe 85 PID 4808 wrote to memory of 3536 4808 Lmccchkn.exe 85 PID 4808 wrote to memory of 3536 4808 Lmccchkn.exe 85 PID 3536 wrote to memory of 3144 3536 Laopdgcg.exe 86 PID 3536 wrote to memory of 3144 3536 Laopdgcg.exe 86 PID 3536 wrote to memory of 3144 3536 Laopdgcg.exe 86 PID 3144 wrote to memory of 2892 3144 Ldmlpbbj.exe 87 PID 3144 wrote to memory of 2892 3144 Ldmlpbbj.exe 87 PID 3144 wrote to memory of 2892 3144 Ldmlpbbj.exe 87 PID 2892 wrote to memory of 4608 2892 Lcpllo32.exe 88 PID 2892 wrote to memory of 4608 2892 Lcpllo32.exe 88 PID 2892 wrote to memory of 4608 2892 Lcpllo32.exe 88 PID 4608 wrote to memory of 2208 4608 Lkgdml32.exe 89 PID 4608 wrote to memory of 2208 4608 Lkgdml32.exe 89 PID 4608 wrote to memory of 2208 4608 Lkgdml32.exe 89 PID 2208 wrote to memory of 1620 2208 Lnepih32.exe 90 PID 2208 wrote to memory of 1620 2208 Lnepih32.exe 90 PID 2208 wrote to memory of 1620 2208 Lnepih32.exe 90 PID 1620 wrote to memory of 1460 1620 Lpcmec32.exe 91 PID 1620 wrote to memory of 1460 1620 Lpcmec32.exe 91 PID 1620 wrote to memory of 1460 1620 Lpcmec32.exe 91 PID 1460 wrote to memory of 4968 1460 Ldohebqh.exe 92 PID 1460 wrote to memory of 4968 1460 Ldohebqh.exe 92 PID 1460 wrote to memory of 4968 1460 Ldohebqh.exe 92 PID 4968 wrote to memory of 3920 4968 Lgneampk.exe 93 PID 4968 wrote to memory of 3920 4968 Lgneampk.exe 93 PID 4968 wrote to memory of 3920 4968 Lgneampk.exe 93 PID 3920 wrote to memory of 1016 3920 Lilanioo.exe 94 PID 3920 wrote to memory of 1016 3920 Lilanioo.exe 94 PID 3920 wrote to memory of 1016 3920 Lilanioo.exe 94 PID 1016 wrote to memory of 4896 1016 Laciofpa.exe 95 PID 1016 wrote to memory of 4896 1016 Laciofpa.exe 95 PID 1016 wrote to memory of 4896 1016 Laciofpa.exe 95 PID 4896 wrote to memory of 4948 4896 Ldaeka32.exe 96 PID 4896 wrote to memory of 4948 4896 Ldaeka32.exe 96 PID 4896 wrote to memory of 4948 4896 Ldaeka32.exe 96 PID 4948 wrote to memory of 3172 4948 Lcdegnep.exe 97 PID 4948 wrote to memory of 3172 4948 Lcdegnep.exe 97 PID 4948 wrote to memory of 3172 4948 Lcdegnep.exe 97 PID 3172 wrote to memory of 3264 3172 Lklnhlfb.exe 98 PID 3172 wrote to memory of 3264 3172 Lklnhlfb.exe 98 PID 3172 wrote to memory of 3264 3172 Lklnhlfb.exe 98 PID 3264 wrote to memory of 452 3264 Lnjjdgee.exe 99 PID 3264 wrote to memory of 452 3264 Lnjjdgee.exe 99 PID 3264 wrote to memory of 452 3264 Lnjjdgee.exe 99 PID 452 wrote to memory of 848 452 Laefdf32.exe 100 PID 452 wrote to memory of 848 452 Laefdf32.exe 100 PID 452 wrote to memory of 848 452 Laefdf32.exe 100 PID 848 wrote to memory of 432 848 Lddbqa32.exe 101 PID 848 wrote to memory of 432 848 Lddbqa32.exe 101 PID 848 wrote to memory of 432 848 Lddbqa32.exe 101 PID 432 wrote to memory of 1264 432 Lcgblncm.exe 102 PID 432 wrote to memory of 1264 432 Lcgblncm.exe 102 PID 432 wrote to memory of 1264 432 Lcgblncm.exe 102 PID 1264 wrote to memory of 1132 1264 Lgbnmm32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\21debd1fa3793e6df7b339ccab657a20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe23⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe24⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe25⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe26⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe27⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe28⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe29⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe30⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe31⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe32⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe34⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe35⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe36⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe37⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe38⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe39⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe40⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe41⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe42⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe43⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe44⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe45⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe46⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe47⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe48⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe49⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe51⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe52⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe53⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe54⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe55⤵PID:4252
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe56⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe57⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe58⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe60⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe61⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe62⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe63⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe64⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe65⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe66⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe67⤵PID:3776
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe68⤵PID:4744
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe69⤵PID:3532
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe70⤵PID:4672
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe71⤵PID:1472
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe72⤵PID:3608
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe73⤵PID:3540
-
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe74⤵PID:4028
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe76⤵PID:3076
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe77⤵PID:3088
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe78⤵PID:1644
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe79⤵PID:2728
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe80⤵PID:1212
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe81⤵PID:3676
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe82⤵PID:4840
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe83⤵PID:5128
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe84⤵
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe85⤵PID:5220
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe86⤵PID:5264
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe87⤵PID:5308
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe88⤵PID:5352
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe89⤵PID:5396
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe90⤵PID:5436
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe92⤵PID:5528
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe94⤵PID:5624
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe95⤵PID:5676
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe96⤵PID:5720
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe97⤵PID:5756
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe98⤵PID:5800
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe99⤵PID:5848
-
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe100⤵PID:5888
-
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe101⤵PID:5928
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe102⤵PID:5972
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe103⤵PID:6016
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe104⤵PID:6060
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe105⤵PID:6100
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe106⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe107⤵PID:5212
-
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe108⤵PID:5340
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe109⤵PID:5376
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe111⤵PID:5568
-
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe112⤵PID:5672
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe114⤵PID:5788
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe115⤵PID:5868
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe116⤵PID:5956
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe117⤵PID:2816
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe118⤵PID:5392
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe119⤵PID:5180
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe120⤵PID:5360
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-