Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 03:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe
-
Size
45KB
-
MD5
3d6ca7193e4ace21e35e0adb1e018eb0
-
SHA1
2aea0b2fb549f077dc9494b0c8df6b8eda0cfd1f
-
SHA256
b54e08acf80155e6e6bd5130ca22def56630615b4d65a14958bfd322344869bb
-
SHA512
1ed4637cd6e5dcb5dc663ad2f9b213b8cc203322844a18a36703dcadf7757af9438accf453d7175f2fb9dd8dcda2f888b58d0d4838230b70005595366acce16a
-
SSDEEP
768:Qo33FMjBulK0WTHtWafYNUgXFDCXw9RbeO1G111111111111111111111111111c:TnFMdHt5cUgdCXWe711111111111111q
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjbena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifjodl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlednamo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmhppqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldgdago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippggbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jioaqfcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmnlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkhmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmjcieo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeopki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfeopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfhnjhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmccchkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbbdholl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdqjceo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhacgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopffec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbimoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenamdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmelbid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahode32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjagjco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cliaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinlemia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcpgmjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjlcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblckl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiidgeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfofakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhblemi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhjohkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfkgjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbmefbg.exe -
Executes dropped EXE 64 IoCs
pid Process 5052 Ipqnahgf.exe 3336 Ibojncfj.exe 2444 Ifjfnb32.exe 3396 Imdnklfp.exe 4840 Idofhfmm.exe 3556 Ifmcdblq.exe 2376 Iikopmkd.exe 3168 Iabgaklg.exe 4568 Idacmfkj.exe 2408 Ifopiajn.exe 2312 Iinlemia.exe 756 Jaedgjjd.exe 3660 Jbfpobpb.exe 4248 Jjmhppqd.exe 3372 Jmkdlkph.exe 3920 Jpjqhgol.exe 2460 Jbhmdbnp.exe 2160 Jibeql32.exe 3288 Jmnaakne.exe 2588 Jdhine32.exe 1156 Jjbako32.exe 996 Jmpngk32.exe 4292 Jpojcf32.exe 1772 Jbmfoa32.exe 2144 Jkdnpo32.exe 2868 Jangmibi.exe 3536 Jdmcidam.exe 3976 Jfkoeppq.exe 4628 Jiikak32.exe 4280 Kaqcbi32.exe 1120 Kpccnefa.exe 2792 Kbapjafe.exe 3060 Kkihknfg.exe 3272 Kilhgk32.exe 4612 Kacphh32.exe 1052 Kbdmpqcb.exe 2892 Kkkdan32.exe 3488 Kmjqmi32.exe 1828 Kphmie32.exe 3212 Kdcijcke.exe 1760 Kbfiep32.exe 4424 Kknafn32.exe 3700 Kmlnbi32.exe 5028 Kpjjod32.exe 5000 Kdffocib.exe 3520 Kkpnlm32.exe 1440 Kibnhjgj.exe 544 Kajfig32.exe 4268 Kpmfddnf.exe 4640 Kgfoan32.exe 3204 Kkbkamnl.exe 3056 Lmqgnhmp.exe 4896 Ldkojb32.exe 2348 Lcmofolg.exe 2684 Liggbi32.exe 4460 Lmccchkn.exe 1824 Lpappc32.exe 2240 Lcpllo32.exe 1948 Lgkhlnbn.exe 2380 Lijdhiaa.exe 2496 Lnepih32.exe 2184 Lpcmec32.exe 1700 Ldohebqh.exe 3836 Lgneampk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldaeka32.exe Laciofpa.exe File opened for modification C:\Windows\SysWOW64\Leihbeib.exe Lffhfh32.exe File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe Acqimo32.exe File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe Cmqmma32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Lknjmkdo.exe File created C:\Windows\SysWOW64\Phadlp32.dll Ahmlgd32.exe File created C:\Windows\SysWOW64\Dejpjp32.dll Foabofnn.exe File created C:\Windows\SysWOW64\Gododflk.exe Glebhjlg.exe File created C:\Windows\SysWOW64\Ojgbfocc.exe Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Kbdmpqcb.exe Kacphh32.exe File created C:\Windows\SysWOW64\Kdcijcke.exe Kphmie32.exe File opened for modification C:\Windows\SysWOW64\Lcmofolg.exe Ldkojb32.exe File created C:\Windows\SysWOW64\Jnngob32.dll Lddbqa32.exe File created C:\Windows\SysWOW64\Jiopcppf.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Bapiabak.exe Bnbmefbg.exe File opened for modification C:\Windows\SysWOW64\Lpappc32.exe Lmccchkn.exe File created C:\Windows\SysWOW64\Adcmmeog.exe Angddopp.exe File opened for modification C:\Windows\SysWOW64\Ehedfo32.exe Eolpmi32.exe File created C:\Windows\SysWOW64\Odqjbebh.dll Hmcojh32.exe File created C:\Windows\SysWOW64\Mjegoo32.dll Hbpgbo32.exe File created C:\Windows\SysWOW64\Pcccfh32.exe Pbbgnpgl.exe File created C:\Windows\SysWOW64\Mgjpndjd.dll Agffge32.exe File opened for modification C:\Windows\SysWOW64\Acnlgp32.exe Aeklkchg.exe File created C:\Windows\SysWOW64\Amfoeb32.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dkkcge32.exe File opened for modification C:\Windows\SysWOW64\Lpcmec32.exe Lnepih32.exe File created C:\Windows\SysWOW64\Oqbamo32.exe Ondeac32.exe File created C:\Windows\SysWOW64\Nhdlom32.dll Fdnjgmle.exe File created C:\Windows\SysWOW64\Nghjpm32.dll Gododflk.exe File opened for modification C:\Windows\SysWOW64\Jidklf32.exe Jfeopj32.exe File created C:\Windows\SysWOW64\Olkhmi32.exe Ojllan32.exe File opened for modification C:\Windows\SysWOW64\Occkojkm.exe Oqdoboli.exe File created C:\Windows\SysWOW64\Ajneip32.exe Adcmmeog.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hbeqmoji.exe File opened for modification C:\Windows\SysWOW64\Iifokh32.exe Iblfnn32.exe File opened for modification C:\Windows\SysWOW64\Ibnccmbo.exe Ippggbck.exe File created C:\Windows\SysWOW64\Dfknkg32.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Jfeopj32.exe Jcgbco32.exe File opened for modification C:\Windows\SysWOW64\Kdeoemeg.exe Kmkfhc32.exe File created C:\Windows\SysWOW64\Imdnklfp.exe Ifjfnb32.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Fchddejl.exe Fkalchij.exe File created C:\Windows\SysWOW64\Gfgkmfoj.dll Glhonj32.exe File created C:\Windows\SysWOW64\Ainpbi32.dll Gicinj32.exe File created C:\Windows\SysWOW64\Mfadpi32.dll Imakkfdg.exe File created C:\Windows\SysWOW64\Anogiicl.exe Ageolo32.exe File created C:\Windows\SysWOW64\Jbhmdbnp.exe Jpjqhgol.exe File created C:\Windows\SysWOW64\Qadpibkg.dll Dedkdcie.exe File opened for modification C:\Windows\SysWOW64\Bcjlcn32.exe Bnmcjg32.exe File created C:\Windows\SysWOW64\Chcddk32.exe Cajlhqjp.exe File created C:\Windows\SysWOW64\Jedeph32.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Liddbc32.exe Leihbeib.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dgbdlf32.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mpmokb32.exe File opened for modification C:\Windows\SysWOW64\Gfngap32.exe Gbbkaako.exe File created C:\Windows\SysWOW64\Glccbn32.dll Iehfdi32.exe File opened for modification C:\Windows\SysWOW64\Megdccmb.exe Mdehlk32.exe File opened for modification C:\Windows\SysWOW64\Anmjcieo.exe Qffbbldm.exe File created C:\Windows\SysWOW64\Gfghpl32.dll Deagdn32.exe File created C:\Windows\SysWOW64\Jeiooj32.dll Jpojcf32.exe File created C:\Windows\SysWOW64\Clpgpp32.exe Cajcbgml.exe File opened for modification C:\Windows\SysWOW64\Eoaihhlp.exe Elbmlmml.exe File opened for modification C:\Windows\SysWOW64\Miemjaci.exe Mgfqmfde.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11120 10912 WerFault.exe 553 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibeql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgneampk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqdoboli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll" Ifmcdblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Dhbgqohi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehedfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmiciaaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qffbbldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdkma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcjapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkjmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjpndjd.dll" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll" Mdehlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" Ncfdie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcbhjlp.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfqfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" Bffkij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkdbljm.dll" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll" Mdhdajea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miemjaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nngokoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odednmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pengdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmhlekj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmhale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcllonma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" Lmccchkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapn32.dll" Oqkdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll" Icnpmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjnop32.dll" Ildkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfqmfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll" Lnjjdgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lffhfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagplp32.dll" Jcioiood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll" Llcpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphfpbdi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 5052 2484 3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe 82 PID 2484 wrote to memory of 5052 2484 3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe 82 PID 2484 wrote to memory of 5052 2484 3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe 82 PID 5052 wrote to memory of 3336 5052 Ipqnahgf.exe 83 PID 5052 wrote to memory of 3336 5052 Ipqnahgf.exe 83 PID 5052 wrote to memory of 3336 5052 Ipqnahgf.exe 83 PID 3336 wrote to memory of 2444 3336 Ibojncfj.exe 84 PID 3336 wrote to memory of 2444 3336 Ibojncfj.exe 84 PID 3336 wrote to memory of 2444 3336 Ibojncfj.exe 84 PID 2444 wrote to memory of 3396 2444 Ifjfnb32.exe 85 PID 2444 wrote to memory of 3396 2444 Ifjfnb32.exe 85 PID 2444 wrote to memory of 3396 2444 Ifjfnb32.exe 85 PID 3396 wrote to memory of 4840 3396 Imdnklfp.exe 86 PID 3396 wrote to memory of 4840 3396 Imdnklfp.exe 86 PID 3396 wrote to memory of 4840 3396 Imdnklfp.exe 86 PID 4840 wrote to memory of 3556 4840 Idofhfmm.exe 87 PID 4840 wrote to memory of 3556 4840 Idofhfmm.exe 87 PID 4840 wrote to memory of 3556 4840 Idofhfmm.exe 87 PID 3556 wrote to memory of 2376 3556 Ifmcdblq.exe 89 PID 3556 wrote to memory of 2376 3556 Ifmcdblq.exe 89 PID 3556 wrote to memory of 2376 3556 Ifmcdblq.exe 89 PID 2376 wrote to memory of 3168 2376 Iikopmkd.exe 90 PID 2376 wrote to memory of 3168 2376 Iikopmkd.exe 90 PID 2376 wrote to memory of 3168 2376 Iikopmkd.exe 90 PID 3168 wrote to memory of 4568 3168 Iabgaklg.exe 91 PID 3168 wrote to memory of 4568 3168 Iabgaklg.exe 91 PID 3168 wrote to memory of 4568 3168 Iabgaklg.exe 91 PID 4568 wrote to memory of 2408 4568 Idacmfkj.exe 92 PID 4568 wrote to memory of 2408 4568 Idacmfkj.exe 92 PID 4568 wrote to memory of 2408 4568 Idacmfkj.exe 92 PID 2408 wrote to memory of 2312 2408 Ifopiajn.exe 93 PID 2408 wrote to memory of 2312 2408 Ifopiajn.exe 93 PID 2408 wrote to memory of 2312 2408 Ifopiajn.exe 93 PID 2312 wrote to memory of 756 2312 Iinlemia.exe 95 PID 2312 wrote to memory of 756 2312 Iinlemia.exe 95 PID 2312 wrote to memory of 756 2312 Iinlemia.exe 95 PID 756 wrote to memory of 3660 756 Jaedgjjd.exe 96 PID 756 wrote to memory of 3660 756 Jaedgjjd.exe 96 PID 756 wrote to memory of 3660 756 Jaedgjjd.exe 96 PID 3660 wrote to memory of 4248 3660 Jbfpobpb.exe 97 PID 3660 wrote to memory of 4248 3660 Jbfpobpb.exe 97 PID 3660 wrote to memory of 4248 3660 Jbfpobpb.exe 97 PID 4248 wrote to memory of 3372 4248 Jjmhppqd.exe 98 PID 4248 wrote to memory of 3372 4248 Jjmhppqd.exe 98 PID 4248 wrote to memory of 3372 4248 Jjmhppqd.exe 98 PID 3372 wrote to memory of 3920 3372 Jmkdlkph.exe 99 PID 3372 wrote to memory of 3920 3372 Jmkdlkph.exe 99 PID 3372 wrote to memory of 3920 3372 Jmkdlkph.exe 99 PID 3920 wrote to memory of 2460 3920 Jpjqhgol.exe 100 PID 3920 wrote to memory of 2460 3920 Jpjqhgol.exe 100 PID 3920 wrote to memory of 2460 3920 Jpjqhgol.exe 100 PID 2460 wrote to memory of 2160 2460 Jbhmdbnp.exe 101 PID 2460 wrote to memory of 2160 2460 Jbhmdbnp.exe 101 PID 2460 wrote to memory of 2160 2460 Jbhmdbnp.exe 101 PID 2160 wrote to memory of 3288 2160 Jibeql32.exe 103 PID 2160 wrote to memory of 3288 2160 Jibeql32.exe 103 PID 2160 wrote to memory of 3288 2160 Jibeql32.exe 103 PID 3288 wrote to memory of 2588 3288 Jmnaakne.exe 104 PID 3288 wrote to memory of 2588 3288 Jmnaakne.exe 104 PID 3288 wrote to memory of 2588 3288 Jmnaakne.exe 104 PID 2588 wrote to memory of 1156 2588 Jdhine32.exe 105 PID 2588 wrote to memory of 1156 2588 Jdhine32.exe 105 PID 2588 wrote to memory of 1156 2588 Jdhine32.exe 105 PID 1156 wrote to memory of 996 1156 Jjbako32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3d6ca7193e4ace21e35e0adb1e018eb0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe23⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4292 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe25⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe28⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe29⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe31⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Kpccnefa.exeC:\Windows\system32\Kpccnefa.exe32⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe33⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe34⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe35⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4612 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe37⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe38⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe41⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe42⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe44⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe45⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe46⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe47⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe48⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe49⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe50⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe52⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe53⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe55⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe56⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe58⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe59⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe60⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe61⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe64⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe66⤵
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe67⤵PID:4188
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe68⤵
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe69⤵PID:5064
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe70⤵PID:2164
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe71⤵PID:4932
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe72⤵
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe73⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe74⤵
- Drops file in System32 directory
PID:4708 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe76⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe78⤵PID:464
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe79⤵PID:4892
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe80⤵
- Drops file in System32 directory
PID:3760 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe81⤵PID:4288
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe82⤵PID:2404
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe83⤵PID:3568
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe84⤵PID:1492
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe87⤵PID:3208
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe88⤵PID:968
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe89⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe90⤵
- Modifies registry class
PID:3692 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe92⤵PID:4976
-
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4608 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe94⤵
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe95⤵PID:2072
-
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe96⤵PID:4760
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe97⤵PID:4988
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe98⤵PID:2036
-
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe99⤵PID:1004
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe101⤵PID:3988
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe102⤵PID:3792
-
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe104⤵PID:1584
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe105⤵PID:1848
-
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe106⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe107⤵PID:1112
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe108⤵PID:1604
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe109⤵PID:5148
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe111⤵PID:5236
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe112⤵PID:5284
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe113⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe114⤵PID:5368
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe115⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe116⤵
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe117⤵PID:5496
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe118⤵PID:5536
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe119⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe120⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe121⤵PID:5672
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe122⤵PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-