Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 03:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe
-
Size
312KB
-
MD5
6b7c06a84610cf2faa0430eab9738b50
-
SHA1
6e37acd0b0c8041385ec4cabcb70315ec6a0dcf3
-
SHA256
3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a
-
SHA512
7ee8270da1e65ee211207c9b6bbc0fbe6dc2b4d8129feec033e11d1aa19f106b4892635694a8bf94f6731a056fa08f5b74e4aa54e53df83ca9d421b5c0143566
-
SSDEEP
6144:do5VU21BPXuapoaCPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSf:K55uqFHRFbev
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolmdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinaqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncdgcqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoamgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naikkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbomfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgcgmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdnepk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klnjbbdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe -
Executes dropped EXE 64 IoCs
pid Process 2660 Ijoeji32.exe 1996 Iqimgc32.exe 2588 Iqimgc32.exe 2724 Iolmbpfe.exe 3028 Ichico32.exe 2616 Iclcnnji.exe 2512 Ifkojiim.exe 2312 Iiikfehq.exe 1408 Jinead32.exe 2808 Jgqemakf.exe 2152 Jnkmjk32.exe 1692 Jaiiff32.exe 1892 Jgenhp32.exe 1372 Jjdkdl32.exe 2220 Jmbgpg32.exe 2176 Jancafna.exe 2204 Jfkkimlh.exe 764 Kjhdokbo.exe 1340 Kpemgbqf.exe 2288 Kcahhq32.exe 1956 Kbcicmpj.exe 1344 Kinaqg32.exe 944 Kphimanc.exe 1268 Kbfeimng.exe 1032 Kipnfged.exe 1628 Klnjbbdh.exe 2000 Kakbjibo.exe 2628 Kibjkgca.exe 2672 Koocdnai.exe 2664 Kbkodl32.exe 2612 Kdlkld32.exe 1560 Loapim32.exe 2912 Lekhfgfc.exe 2580 Lfmdnp32.exe 1684 Lkhpnnej.exe 2392 Lmgmjjdn.exe 2380 Ldqegd32.exe 1624 Limmokib.exe 1784 Ladeqhjd.exe 1808 Lbfahp32.exe 1924 Lipjejgp.exe 320 Lmkfei32.exe 1092 Llnfaffc.exe 1876 Lchnnp32.exe 752 Lgdjnofi.exe 2452 Mgfgdn32.exe 1816 Meigpkka.exe 940 Midcpj32.exe 2248 Mlcple32.exe 2708 Mpolmdkg.exe 1820 Moalhq32.exe 2624 Maphdl32.exe 2632 Mekdekin.exe 836 Migpeiag.exe 1596 Mlelaeqk.exe 1840 Mkhmma32.exe 2620 Mochnppo.exe 284 Mcodno32.exe 2388 Mabejlob.exe 2356 Mlgigdoh.exe 2528 Mkjica32.exe 680 Mnieom32.exe 2848 Madapkmp.exe 2372 Mepnpj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 2660 Ijoeji32.exe 2660 Ijoeji32.exe 1996 Iqimgc32.exe 1996 Iqimgc32.exe 2588 Iqimgc32.exe 2588 Iqimgc32.exe 2724 Iolmbpfe.exe 2724 Iolmbpfe.exe 3028 Ichico32.exe 3028 Ichico32.exe 2616 Iclcnnji.exe 2616 Iclcnnji.exe 2512 Ifkojiim.exe 2512 Ifkojiim.exe 2312 Iiikfehq.exe 2312 Iiikfehq.exe 1408 Jinead32.exe 1408 Jinead32.exe 2808 Jgqemakf.exe 2808 Jgqemakf.exe 2152 Jnkmjk32.exe 2152 Jnkmjk32.exe 1692 Jaiiff32.exe 1692 Jaiiff32.exe 1892 Jgenhp32.exe 1892 Jgenhp32.exe 1372 Jjdkdl32.exe 1372 Jjdkdl32.exe 2220 Jmbgpg32.exe 2220 Jmbgpg32.exe 2176 Jancafna.exe 2176 Jancafna.exe 2204 Jfkkimlh.exe 2204 Jfkkimlh.exe 764 Kjhdokbo.exe 764 Kjhdokbo.exe 1340 Kpemgbqf.exe 1340 Kpemgbqf.exe 2288 Kcahhq32.exe 2288 Kcahhq32.exe 1956 Kbcicmpj.exe 1956 Kbcicmpj.exe 1344 Kinaqg32.exe 1344 Kinaqg32.exe 944 Kphimanc.exe 944 Kphimanc.exe 1268 Kbfeimng.exe 1268 Kbfeimng.exe 1032 Kipnfged.exe 1032 Kipnfged.exe 1628 Klnjbbdh.exe 1628 Klnjbbdh.exe 2000 Kakbjibo.exe 2000 Kakbjibo.exe 2628 Kibjkgca.exe 2628 Kibjkgca.exe 2672 Koocdnai.exe 2672 Koocdnai.exe 2664 Kbkodl32.exe 2664 Kbkodl32.exe 2612 Kdlkld32.exe 2612 Kdlkld32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Flgeqgog.exe Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qbbfopeg.exe File created C:\Windows\SysWOW64\Dmgdhd32.dll Kipnfged.exe File created C:\Windows\SysWOW64\Kqdoodim.dll Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Jiakjb32.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Cddaphkn.exe File created C:\Windows\SysWOW64\Ecfmdf32.dll Mbmjah32.exe File opened for modification C:\Windows\SysWOW64\Nkbalifo.exe Ngfflj32.exe File created C:\Windows\SysWOW64\Cfecjakk.dll Lbfahp32.exe File created C:\Windows\SysWOW64\Nkmbgdfl.exe Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Nkmbgdfl.exe Nhnfkigh.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Amclfbco.dll Lipjejgp.exe File opened for modification C:\Windows\SysWOW64\Plahag32.exe Piblek32.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Olndbg32.dll Faagpp32.exe File created C:\Windows\SysWOW64\Ciiqqh32.dll Jgqemakf.exe File opened for modification C:\Windows\SysWOW64\Jjjacf32.exe Icpigm32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ekelld32.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nacgdhlp.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fhneehek.exe File created C:\Windows\SysWOW64\Fnkjhb32.exe Fhqbkhch.exe File opened for modification C:\Windows\SysWOW64\Ofbfdmeb.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Jonplmcb.exe Jicgpb32.exe File created C:\Windows\SysWOW64\Mhdplq32.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Lhajpc32.dll Mmihhelk.exe File opened for modification C:\Windows\SysWOW64\Npojdpef.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe Cgejac32.exe File created C:\Windows\SysWOW64\Fmmkcoap.exe Fnkjhb32.exe File created C:\Windows\SysWOW64\Hhmkol32.dll Fmmkcoap.exe File created C:\Windows\SysWOW64\Jhcbom32.dll Nlgefh32.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Pnbacbac.exe File created C:\Windows\SysWOW64\Mgqcmlgl.exe Mpfkqb32.exe File created C:\Windows\SysWOW64\Djhphncm.exe Ccngld32.exe File created C:\Windows\SysWOW64\Kiqpop32.exe Keednado.exe File opened for modification C:\Windows\SysWOW64\Ddagfm32.exe Dbbkja32.exe File created C:\Windows\SysWOW64\Ichico32.exe Iolmbpfe.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File created C:\Windows\SysWOW64\Ogblbo32.exe Oddpfc32.exe File created C:\Windows\SysWOW64\Ndkakief.dll Efncicpm.exe File created C:\Windows\SysWOW64\Ghgobd32.dll Loapim32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Iqimgc32.exe Ijoeji32.exe File created C:\Windows\SysWOW64\Iknqdmpf.dll Idhopq32.exe File created C:\Windows\SysWOW64\Pbefefec.dll Kilfcpqm.exe File created C:\Windows\SysWOW64\Oagcgibo.dll Gmdadnkh.exe File created C:\Windows\SysWOW64\Oqqapjnk.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Comimg32.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Flabbihl.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ombapedi.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Fcjpocnf.dll Gbomfe32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lihmjejl.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pkndaa32.exe File opened for modification C:\Windows\SysWOW64\Fbamma32.exe Fnfamcoj.exe File created C:\Windows\SysWOW64\Fnhnbb32.exe Fhneehek.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kfpgmdog.exe File created C:\Windows\SysWOW64\Haobqm32.dll Mohbip32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaoqk32.dll" Iblpjdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimjmbae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjcplpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjoho32.dll" Jancafna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pcnbablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iclcnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpeliikc.dll" Apcfahio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loapim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbbidem.dll" Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgpdbgm.dll" Nhlifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmolnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jhljdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelkpj32.dll" Jqilooij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdoodim.dll" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlblkhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmmiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihebmne.dll" Ichico32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Lbfahp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbpgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncancbha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchpbded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqapllgh.dll" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Ebgacddo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2660 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2660 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2660 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2660 2188 3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 1996 2660 Ijoeji32.exe 29 PID 2660 wrote to memory of 1996 2660 Ijoeji32.exe 29 PID 2660 wrote to memory of 1996 2660 Ijoeji32.exe 29 PID 2660 wrote to memory of 1996 2660 Ijoeji32.exe 29 PID 1996 wrote to memory of 2588 1996 Iqimgc32.exe 30 PID 1996 wrote to memory of 2588 1996 Iqimgc32.exe 30 PID 1996 wrote to memory of 2588 1996 Iqimgc32.exe 30 PID 1996 wrote to memory of 2588 1996 Iqimgc32.exe 30 PID 2588 wrote to memory of 2724 2588 Iqimgc32.exe 31 PID 2588 wrote to memory of 2724 2588 Iqimgc32.exe 31 PID 2588 wrote to memory of 2724 2588 Iqimgc32.exe 31 PID 2588 wrote to memory of 2724 2588 Iqimgc32.exe 31 PID 2724 wrote to memory of 3028 2724 Iolmbpfe.exe 32 PID 2724 wrote to memory of 3028 2724 Iolmbpfe.exe 32 PID 2724 wrote to memory of 3028 2724 Iolmbpfe.exe 32 PID 2724 wrote to memory of 3028 2724 Iolmbpfe.exe 32 PID 3028 wrote to memory of 2616 3028 Ichico32.exe 33 PID 3028 wrote to memory of 2616 3028 Ichico32.exe 33 PID 3028 wrote to memory of 2616 3028 Ichico32.exe 33 PID 3028 wrote to memory of 2616 3028 Ichico32.exe 33 PID 2616 wrote to memory of 2512 2616 Iclcnnji.exe 34 PID 2616 wrote to memory of 2512 2616 Iclcnnji.exe 34 PID 2616 wrote to memory of 2512 2616 Iclcnnji.exe 34 PID 2616 wrote to memory of 2512 2616 Iclcnnji.exe 34 PID 2512 wrote to memory of 2312 2512 Ifkojiim.exe 35 PID 2512 wrote to memory of 2312 2512 Ifkojiim.exe 35 PID 2512 wrote to memory of 2312 2512 Ifkojiim.exe 35 PID 2512 wrote to memory of 2312 2512 Ifkojiim.exe 35 PID 2312 wrote to memory of 1408 2312 Iiikfehq.exe 36 PID 2312 wrote to memory of 1408 2312 Iiikfehq.exe 36 PID 2312 wrote to memory of 1408 2312 Iiikfehq.exe 36 PID 2312 wrote to memory of 1408 2312 Iiikfehq.exe 36 PID 1408 wrote to memory of 2808 1408 Jinead32.exe 37 PID 1408 wrote to memory of 2808 1408 Jinead32.exe 37 PID 1408 wrote to memory of 2808 1408 Jinead32.exe 37 PID 1408 wrote to memory of 2808 1408 Jinead32.exe 37 PID 2808 wrote to memory of 2152 2808 Jgqemakf.exe 38 PID 2808 wrote to memory of 2152 2808 Jgqemakf.exe 38 PID 2808 wrote to memory of 2152 2808 Jgqemakf.exe 38 PID 2808 wrote to memory of 2152 2808 Jgqemakf.exe 38 PID 2152 wrote to memory of 1692 2152 Jnkmjk32.exe 39 PID 2152 wrote to memory of 1692 2152 Jnkmjk32.exe 39 PID 2152 wrote to memory of 1692 2152 Jnkmjk32.exe 39 PID 2152 wrote to memory of 1692 2152 Jnkmjk32.exe 39 PID 1692 wrote to memory of 1892 1692 Jaiiff32.exe 40 PID 1692 wrote to memory of 1892 1692 Jaiiff32.exe 40 PID 1692 wrote to memory of 1892 1692 Jaiiff32.exe 40 PID 1692 wrote to memory of 1892 1692 Jaiiff32.exe 40 PID 1892 wrote to memory of 1372 1892 Jgenhp32.exe 41 PID 1892 wrote to memory of 1372 1892 Jgenhp32.exe 41 PID 1892 wrote to memory of 1372 1892 Jgenhp32.exe 41 PID 1892 wrote to memory of 1372 1892 Jgenhp32.exe 41 PID 1372 wrote to memory of 2220 1372 Jjdkdl32.exe 42 PID 1372 wrote to memory of 2220 1372 Jjdkdl32.exe 42 PID 1372 wrote to memory of 2220 1372 Jjdkdl32.exe 42 PID 1372 wrote to memory of 2220 1372 Jjdkdl32.exe 42 PID 2220 wrote to memory of 2176 2220 Jmbgpg32.exe 43 PID 2220 wrote to memory of 2176 2220 Jmbgpg32.exe 43 PID 2220 wrote to memory of 2176 2220 Jmbgpg32.exe 43 PID 2220 wrote to memory of 2176 2220 Jmbgpg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a60aece02c0164f49d442a2002733cf4610ad0ba6669e7a0b583593ed51708a_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe34⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe36⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe37⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe38⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe39⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe40⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe43⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe44⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe45⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe46⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe47⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe48⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe49⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe50⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe52⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe55⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe56⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe57⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe59⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe60⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe61⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe62⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe64⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe65⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe66⤵PID:2180
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe67⤵PID:2200
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe68⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe69⤵PID:1592
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe70⤵PID:2268
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe71⤵PID:2676
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe75⤵PID:2552
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe76⤵PID:2944
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe77⤵PID:268
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe78⤵PID:1744
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe79⤵PID:844
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe80⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe81⤵PID:2844
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe82⤵PID:2712
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe83⤵PID:2496
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe84⤵PID:2568
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe85⤵PID:2336
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe86⤵PID:1556
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe87⤵PID:1836
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe88⤵PID:2636
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe89⤵PID:1764
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe90⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe91⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe92⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe94⤵PID:2456
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe95⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe96⤵PID:664
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe97⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe98⤵PID:2260
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe99⤵PID:2084
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe100⤵PID:2788
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe101⤵PID:532
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe102⤵PID:1248
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe104⤵PID:2100
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe105⤵PID:1968
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe106⤵PID:304
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe107⤵PID:1288
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe108⤵PID:2780
-
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe109⤵PID:3020
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe110⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe111⤵PID:1516
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2812 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe113⤵PID:792
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe114⤵PID:2104
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe115⤵PID:2384
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe116⤵PID:1636
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe117⤵PID:540
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe118⤵PID:1776
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe119⤵PID:2028
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe120⤵PID:2856
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe121⤵PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-