Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 18:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe
-
Size
80KB
-
MD5
32daf82b2d08a76a35bd3d79c06eb6c0
-
SHA1
6b38eb2e55e18b87c7a0437326e4bf892445f1e9
-
SHA256
05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6
-
SHA512
5446be34ad2fd41a7e897fc527072f60bad7a25ea65d1830e88571f871b21e4d08043d27ff4f516b6e8efe9a6edd3815beb2593d679b2939794f9ae7156ffb3d
-
SSDEEP
1536:ORQTUJNCZ/pBJvpJn1BlbPEU2LY7aIZTJ+7LhkiB0:5QJNkJXn5bPEtmaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmkcbcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjknnbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnkbdlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe -
Executes dropped EXE 64 IoCs
pid Process 904 Lgoacojo.exe 3064 Lpgele32.exe 2588 Lkmjin32.exe 2708 Lipjejgp.exe 2368 Lpjbad32.exe 2524 Lefkjkmc.exe 2632 Lmnbkinf.exe 2764 Mcjkcplm.exe 2896 Meigpkka.exe 2012 Mhgclfje.exe 2236 Moalhq32.exe 312 Maphdl32.exe 1700 Mkhmma32.exe 2556 Mabejlob.exe 2968 Mhlmgf32.exe 536 Mkjica32.exe 576 Madapkmp.exe 2916 Mhnjle32.exe 2052 Mohbip32.exe 2156 Mnkbdlbd.exe 1780 Mdejaf32.exe 668 Mgcgmb32.exe 1632 Nnnojlpa.exe 1264 Naikkk32.exe 1500 Ndgggf32.exe 1724 Ngfcca32.exe 2684 Njdpomfe.exe 2828 Nghphaeo.exe 2652 Nnbhek32.exe 2508 Nqqdag32.exe 2904 Nfmmin32.exe 2248 Njiijlbp.exe 2448 Nqcagfim.exe 2796 Ncancbha.exe 1820 Ncancbha.exe 2044 Njkfpl32.exe 2392 Nkmbgdfl.exe 2220 Nccjhafn.exe 1596 Nbfjdn32.exe 2108 Okoomd32.exe 2308 Onmkio32.exe 876 Odgcfijj.exe 1496 Oicpfh32.exe 1704 Ogfpbeim.exe 1568 Oomhcbjp.exe 2168 Odjpkihg.exe 1788 Oiellh32.exe 1856 Ojficpfn.exe 780 Onbddoog.exe 1964 Obnqem32.exe 1200 Oelmai32.exe 2672 Ogjimd32.exe 2980 Ojieip32.exe 2640 Omgaek32.exe 2480 Oqcnfjli.exe 1840 Ocajbekl.exe 2768 Ofpfnqjp.exe 2028 Ojkboo32.exe 1828 Pminkk32.exe 2184 Pphjgfqq.exe 1644 Pgobhcac.exe 2132 Pfbccp32.exe 2080 Pipopl32.exe 2136 Paggai32.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 904 Lgoacojo.exe 904 Lgoacojo.exe 3064 Lpgele32.exe 3064 Lpgele32.exe 2588 Lkmjin32.exe 2588 Lkmjin32.exe 2708 Lipjejgp.exe 2708 Lipjejgp.exe 2368 Lpjbad32.exe 2368 Lpjbad32.exe 2524 Lefkjkmc.exe 2524 Lefkjkmc.exe 2632 Lmnbkinf.exe 2632 Lmnbkinf.exe 2764 Mcjkcplm.exe 2764 Mcjkcplm.exe 2896 Meigpkka.exe 2896 Meigpkka.exe 2012 Mhgclfje.exe 2012 Mhgclfje.exe 2236 Moalhq32.exe 2236 Moalhq32.exe 312 Maphdl32.exe 312 Maphdl32.exe 1700 Mkhmma32.exe 1700 Mkhmma32.exe 2556 Mabejlob.exe 2556 Mabejlob.exe 2968 Mhlmgf32.exe 2968 Mhlmgf32.exe 536 Mkjica32.exe 536 Mkjica32.exe 576 Madapkmp.exe 576 Madapkmp.exe 2916 Mhnjle32.exe 2916 Mhnjle32.exe 2052 Mohbip32.exe 2052 Mohbip32.exe 2156 Mnkbdlbd.exe 2156 Mnkbdlbd.exe 1780 Mdejaf32.exe 1780 Mdejaf32.exe 668 Mgcgmb32.exe 668 Mgcgmb32.exe 1632 Nnnojlpa.exe 1632 Nnnojlpa.exe 1264 Naikkk32.exe 1264 Naikkk32.exe 1500 Ndgggf32.exe 1500 Ndgggf32.exe 1724 Ngfcca32.exe 1724 Ngfcca32.exe 2684 Njdpomfe.exe 2684 Njdpomfe.exe 2828 Nghphaeo.exe 2828 Nghphaeo.exe 2652 Nnbhek32.exe 2652 Nnbhek32.exe 2508 Nqqdag32.exe 2508 Nqqdag32.exe 2904 Nfmmin32.exe 2904 Nfmmin32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Ihoafpmp.exe File created C:\Windows\SysWOW64\Peinaf32.dll Ndgggf32.exe File created C:\Windows\SysWOW64\Pacebaej.dll Bdjefj32.exe File created C:\Windows\SysWOW64\Bkdmcdoe.exe Bhfagipa.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Cdcfgc32.dll Affhncfc.exe File created C:\Windows\SysWOW64\Afkbib32.exe Abpfhcje.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Ldhebk32.dll Pelipl32.exe File created C:\Windows\SysWOW64\Bpfcgg32.exe Aljgfioc.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Ngfcca32.exe Ndgggf32.exe File created C:\Windows\SysWOW64\Kfammbdf.dll Pfdpip32.exe File opened for modification C:\Windows\SysWOW64\Penfelgm.exe Pabjem32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Claifkkf.exe File created C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Gghcajge.dll Mhlmgf32.exe File opened for modification C:\Windows\SysWOW64\Bopicc32.exe Bkdmcdoe.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Qngmeo32.dll Mdejaf32.exe File created C:\Windows\SysWOW64\Piddlm32.dll Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Bfekgp32.dll Fddmgjpo.exe File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nccjhafn.exe File opened for modification C:\Windows\SysWOW64\Mefagn32.dll Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Oojimd32.dll Mhgclfje.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Clomqk32.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Bgpkceld.dll Bingpmnl.exe File created C:\Windows\SysWOW64\Kcehqcli.dll 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ifjcng32.dll Ncancbha.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Ocajbekl.exe Oqcnfjli.exe File created C:\Windows\SysWOW64\Dlgohm32.dll Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Ahchbf32.exe File created C:\Windows\SysWOW64\Gncffdfn.dll Bnpmipql.exe File created C:\Windows\SysWOW64\Lbcoccqf.dll Ojficpfn.exe File created C:\Windows\SysWOW64\Gclcefmh.dll Ccdlbf32.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Dhjgal32.exe Dbpodagk.exe File created C:\Windows\SysWOW64\Eijcpoac.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Fddmgjpo.exe Fphafl32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Mabejlob.exe Mkhmma32.exe File opened for modification C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Ajenen32.dll Ppmdbe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3688 4020 WerFault.exe 337 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmoql32.dll" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcfmmpb.dll" Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfefiemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefpjhef.dll" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjgoce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbiciana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdalhhc.dll" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojimd32.dll" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcidhml.dll" Pbkpna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Eloemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnnojlpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakeiib.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinfim32.dll" Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alqkcl32.dll" Nghphaeo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 904 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 28 PID 2112 wrote to memory of 904 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 28 PID 2112 wrote to memory of 904 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 28 PID 2112 wrote to memory of 904 2112 05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe 28 PID 904 wrote to memory of 3064 904 Lgoacojo.exe 29 PID 904 wrote to memory of 3064 904 Lgoacojo.exe 29 PID 904 wrote to memory of 3064 904 Lgoacojo.exe 29 PID 904 wrote to memory of 3064 904 Lgoacojo.exe 29 PID 3064 wrote to memory of 2588 3064 Lpgele32.exe 30 PID 3064 wrote to memory of 2588 3064 Lpgele32.exe 30 PID 3064 wrote to memory of 2588 3064 Lpgele32.exe 30 PID 3064 wrote to memory of 2588 3064 Lpgele32.exe 30 PID 2588 wrote to memory of 2708 2588 Lkmjin32.exe 31 PID 2588 wrote to memory of 2708 2588 Lkmjin32.exe 31 PID 2588 wrote to memory of 2708 2588 Lkmjin32.exe 31 PID 2588 wrote to memory of 2708 2588 Lkmjin32.exe 31 PID 2708 wrote to memory of 2368 2708 Lipjejgp.exe 32 PID 2708 wrote to memory of 2368 2708 Lipjejgp.exe 32 PID 2708 wrote to memory of 2368 2708 Lipjejgp.exe 32 PID 2708 wrote to memory of 2368 2708 Lipjejgp.exe 32 PID 2368 wrote to memory of 2524 2368 Lpjbad32.exe 33 PID 2368 wrote to memory of 2524 2368 Lpjbad32.exe 33 PID 2368 wrote to memory of 2524 2368 Lpjbad32.exe 33 PID 2368 wrote to memory of 2524 2368 Lpjbad32.exe 33 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2524 wrote to memory of 2632 2524 Lefkjkmc.exe 34 PID 2632 wrote to memory of 2764 2632 Lmnbkinf.exe 35 PID 2632 wrote to memory of 2764 2632 Lmnbkinf.exe 35 PID 2632 wrote to memory of 2764 2632 Lmnbkinf.exe 35 PID 2632 wrote to memory of 2764 2632 Lmnbkinf.exe 35 PID 2764 wrote to memory of 2896 2764 Mcjkcplm.exe 36 PID 2764 wrote to memory of 2896 2764 Mcjkcplm.exe 36 PID 2764 wrote to memory of 2896 2764 Mcjkcplm.exe 36 PID 2764 wrote to memory of 2896 2764 Mcjkcplm.exe 36 PID 2896 wrote to memory of 2012 2896 Meigpkka.exe 37 PID 2896 wrote to memory of 2012 2896 Meigpkka.exe 37 PID 2896 wrote to memory of 2012 2896 Meigpkka.exe 37 PID 2896 wrote to memory of 2012 2896 Meigpkka.exe 37 PID 2012 wrote to memory of 2236 2012 Mhgclfje.exe 38 PID 2012 wrote to memory of 2236 2012 Mhgclfje.exe 38 PID 2012 wrote to memory of 2236 2012 Mhgclfje.exe 38 PID 2012 wrote to memory of 2236 2012 Mhgclfje.exe 38 PID 2236 wrote to memory of 312 2236 Moalhq32.exe 39 PID 2236 wrote to memory of 312 2236 Moalhq32.exe 39 PID 2236 wrote to memory of 312 2236 Moalhq32.exe 39 PID 2236 wrote to memory of 312 2236 Moalhq32.exe 39 PID 312 wrote to memory of 1700 312 Maphdl32.exe 40 PID 312 wrote to memory of 1700 312 Maphdl32.exe 40 PID 312 wrote to memory of 1700 312 Maphdl32.exe 40 PID 312 wrote to memory of 1700 312 Maphdl32.exe 40 PID 1700 wrote to memory of 2556 1700 Mkhmma32.exe 41 PID 1700 wrote to memory of 2556 1700 Mkhmma32.exe 41 PID 1700 wrote to memory of 2556 1700 Mkhmma32.exe 41 PID 1700 wrote to memory of 2556 1700 Mkhmma32.exe 41 PID 2556 wrote to memory of 2968 2556 Mabejlob.exe 42 PID 2556 wrote to memory of 2968 2556 Mabejlob.exe 42 PID 2556 wrote to memory of 2968 2556 Mabejlob.exe 42 PID 2556 wrote to memory of 2968 2556 Mabejlob.exe 42 PID 2968 wrote to memory of 536 2968 Mhlmgf32.exe 43 PID 2968 wrote to memory of 536 2968 Mhlmgf32.exe 43 PID 2968 wrote to memory of 536 2968 Mhlmgf32.exe 43 PID 2968 wrote to memory of 536 2968 Mhlmgf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05c022b2ccc283d84b7f892e64a431ab76ff27868e6594958c675e1bff2ef4c6_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe34⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe35⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe38⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe40⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe43⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe45⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe47⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe51⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe52⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe53⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe54⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe62⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe63⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe64⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe66⤵PID:336
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe67⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe69⤵PID:1940
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe70⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe71⤵
- Drops file in System32 directory
PID:928 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe72⤵PID:2872
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe73⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe75⤵PID:2468
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe77⤵PID:2924
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe78⤵PID:2020
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe80⤵PID:644
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe81⤵PID:1052
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe83⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe84⤵PID:2992
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe85⤵
- Modifies registry class
PID:488 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe87⤵PID:1128
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe88⤵PID:2152
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe90⤵PID:276
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe92⤵PID:1624
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe93⤵PID:2568
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe94⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe95⤵PID:2472
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe96⤵PID:1036
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe97⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe98⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe99⤵PID:1764
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe100⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe101⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe102⤵PID:692
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe103⤵PID:2428
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1396 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe105⤵PID:1992
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe106⤵PID:1164
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe107⤵PID:1592
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe109⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe111⤵PID:2776
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe112⤵PID:1680
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe113⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe114⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe115⤵PID:2096
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe116⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe118⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe119⤵PID:2888
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe121⤵PID:2464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-