Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe
-
Size
80KB
-
MD5
2a3f78b862e171ae80f99186292a30e0
-
SHA1
2abebc92a386f25750600c372dceb9ddc8a58c7e
-
SHA256
716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e
-
SHA512
bbcdf2185792e99dc1a2705b61fe86d1b25b9a1fd97be9072f95660babeec3844d134f16a28733c00fc054b04b3aa30469400c460ac09bf6ee2d76383410df36
-
SSDEEP
1536:Bj6Tmqk3KREGjLendzzOHJTgkAZtvTzQDCVj2LAJ9VqDlzVxyh+CbxMa:ByJ8O6NvwDrAJ9IDlRxyhTb7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loapim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbhgojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obigjnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbalifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglipi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdifkpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbdjhmp.exe -
Executes dropped EXE 64 IoCs
pid Process 268 Keikqhhe.exe 2788 Lkfciogm.exe 2636 Loapim32.exe 2884 Lfmdnp32.exe 2664 Lpeifeca.exe 2568 Lhlqhb32.exe 2480 Ladeqhjd.exe 3036 Ldcamcih.exe 2060 Lipjejgp.exe 1960 Llnfaffc.exe 2512 Lefkjkmc.exe 1656 Lmnbkinf.exe 1564 Loooca32.exe 1772 Mgfgdn32.exe 2504 Mhgclfje.exe 2108 Mpolmdkg.exe 1052 Moalhq32.exe 572 Mcmhiojk.exe 1992 Mlelaeqk.exe 880 Mkhmma32.exe 2264 Mdqafgnf.exe 1800 Mlgigdoh.exe 1704 Mdcnlglc.exe 2232 Mhnjle32.exe 852 Mdejaf32.exe 1816 Mgcgmb32.exe 2872 Njbcim32.exe 2712 Nplkfgoe.exe 2632 Ndgggf32.exe 2276 Njdpomfe.exe 1848 Ncmdhb32.exe 2820 Njgldmdc.exe 2992 Njiijlbp.exe 2080 Nlgefh32.exe 2284 Njkfpl32.exe 1916 Nhnfkigh.exe 892 Ofbfdmeb.exe 2492 Odegpj32.exe 2956 Ohqbqhde.exe 2084 Obigjnkf.exe 2908 Ofdcjm32.exe 2100 Oomhcbjp.exe 1216 Obkdonic.exe 1480 Ojficpfn.exe 2296 Obnqem32.exe 2452 Ocomlemo.exe 1368 Ogjimd32.exe 692 Ojieip32.exe 2880 Omgaek32.exe 2332 Ocajbekl.exe 2448 Ofpfnqjp.exe 2808 Ojkboo32.exe 2780 Pminkk32.exe 2684 Pphjgfqq.exe 1868 Pgobhcac.exe 2604 Pfbccp32.exe 2984 Pjmodopf.exe 1444 Pipopl32.exe 2344 Pmlkpjpj.exe 1552 Ppjglfon.exe 2732 Pbiciana.exe 548 Pjpkjond.exe 1624 Pjpkjond.exe 1708 Pmnhfjmg.exe -
Loads dropped DLL 64 IoCs
pid Process 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 268 Keikqhhe.exe 268 Keikqhhe.exe 2788 Lkfciogm.exe 2788 Lkfciogm.exe 2636 Loapim32.exe 2636 Loapim32.exe 2884 Lfmdnp32.exe 2884 Lfmdnp32.exe 2664 Lpeifeca.exe 2664 Lpeifeca.exe 2568 Lhlqhb32.exe 2568 Lhlqhb32.exe 2480 Ladeqhjd.exe 2480 Ladeqhjd.exe 3036 Ldcamcih.exe 3036 Ldcamcih.exe 2060 Lipjejgp.exe 2060 Lipjejgp.exe 1960 Llnfaffc.exe 1960 Llnfaffc.exe 2512 Lefkjkmc.exe 2512 Lefkjkmc.exe 1656 Lmnbkinf.exe 1656 Lmnbkinf.exe 1564 Loooca32.exe 1564 Loooca32.exe 1772 Mgfgdn32.exe 1772 Mgfgdn32.exe 2504 Mhgclfje.exe 2504 Mhgclfje.exe 2108 Mpolmdkg.exe 2108 Mpolmdkg.exe 1052 Moalhq32.exe 1052 Moalhq32.exe 572 Mcmhiojk.exe 572 Mcmhiojk.exe 1992 Mlelaeqk.exe 1992 Mlelaeqk.exe 880 Mkhmma32.exe 880 Mkhmma32.exe 2264 Mdqafgnf.exe 2264 Mdqafgnf.exe 1800 Mlgigdoh.exe 1800 Mlgigdoh.exe 1704 Mdcnlglc.exe 1704 Mdcnlglc.exe 2232 Mhnjle32.exe 2232 Mhnjle32.exe 852 Mdejaf32.exe 852 Mdejaf32.exe 1816 Mgcgmb32.exe 1816 Mgcgmb32.exe 2872 Njbcim32.exe 2872 Njbcim32.exe 2712 Nplkfgoe.exe 2712 Nplkfgoe.exe 2632 Ndgggf32.exe 2632 Ndgggf32.exe 2276 Njdpomfe.exe 2276 Njdpomfe.exe 1848 Ncmdhb32.exe 1848 Ncmdhb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obigjnkf.exe Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Giieco32.exe File created C:\Windows\SysWOW64\Ieidmbcc.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Kconkibf.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Bmpfojmp.exe File opened for modification C:\Windows\SysWOW64\Jchhkjhn.exe Jqilooij.exe File created C:\Windows\SysWOW64\Jhcfhi32.dll Legmbd32.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pbhmnkjf.exe File created C:\Windows\SysWOW64\Iohmol32.dll Fpngfgle.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Lccdel32.exe File created C:\Windows\SysWOW64\Nlgefh32.exe Njiijlbp.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dgaqgh32.exe File opened for modification C:\Windows\SysWOW64\Glaoalkh.exe Gegfdb32.exe File opened for modification C:\Windows\SysWOW64\Fglipi32.exe Fiihdlpc.exe File created C:\Windows\SysWOW64\Jkmcfhkc.exe Jhngjmlo.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Biicik32.exe File created C:\Windows\SysWOW64\Lopekk32.dll Efppoc32.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Fbopgb32.exe Fpqdkf32.exe File created C:\Windows\SysWOW64\Iqapllgh.dll Gpqpjj32.exe File opened for modification C:\Windows\SysWOW64\Nckjkl32.exe Ndhipoob.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eecqjpee.exe File opened for modification C:\Windows\SysWOW64\Ijgdngmf.exe Igihbknb.exe File created C:\Windows\SysWOW64\Cqljpedj.dll Kkgmgmfd.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Iecimppi.dll Ekklaj32.exe File opened for modification C:\Windows\SysWOW64\Hellne32.exe Hcnpbi32.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Fnkjhb32.exe Fllnlg32.exe File opened for modification C:\Windows\SysWOW64\Illgimph.exe Inifnq32.exe File created C:\Windows\SysWOW64\Ecmkgokh.dll Hkkalk32.exe File created C:\Windows\SysWOW64\Ojchmpcd.dll Jcdbbloa.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Hpgfki32.exe File created C:\Windows\SysWOW64\Obojmk32.dll Hhehek32.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Kigbna32.dll Jnffgd32.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Iqmcpahh.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bfenbpec.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kebgia32.exe File created C:\Windows\SysWOW64\Oomkin32.dll Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Pabjem32.exe File created C:\Windows\SysWOW64\Idhopq32.exe Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Lpdbloof.exe File opened for modification C:\Windows\SysWOW64\Nolhan32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Ibddljof.dll Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Mapjmehi.exe Mbmjah32.exe File opened for modification C:\Windows\SysWOW64\Mgfgdn32.exe Loooca32.exe File created C:\Windows\SysWOW64\Mcmhiojk.exe Moalhq32.exe File created C:\Windows\SysWOW64\Najdnj32.exe Nolhan32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihnh32.dll" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkdeggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Gieojq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndgggf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjgej32.dll" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nkbhgojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhqdcam.dll" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilqpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcfahio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmhnnlm.dll" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodahd32.dll" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keikqhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Incpoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 268 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 268 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 268 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 268 2440 716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe 28 PID 268 wrote to memory of 2788 268 Keikqhhe.exe 29 PID 268 wrote to memory of 2788 268 Keikqhhe.exe 29 PID 268 wrote to memory of 2788 268 Keikqhhe.exe 29 PID 268 wrote to memory of 2788 268 Keikqhhe.exe 29 PID 2788 wrote to memory of 2636 2788 Lkfciogm.exe 30 PID 2788 wrote to memory of 2636 2788 Lkfciogm.exe 30 PID 2788 wrote to memory of 2636 2788 Lkfciogm.exe 30 PID 2788 wrote to memory of 2636 2788 Lkfciogm.exe 30 PID 2636 wrote to memory of 2884 2636 Loapim32.exe 31 PID 2636 wrote to memory of 2884 2636 Loapim32.exe 31 PID 2636 wrote to memory of 2884 2636 Loapim32.exe 31 PID 2636 wrote to memory of 2884 2636 Loapim32.exe 31 PID 2884 wrote to memory of 2664 2884 Lfmdnp32.exe 32 PID 2884 wrote to memory of 2664 2884 Lfmdnp32.exe 32 PID 2884 wrote to memory of 2664 2884 Lfmdnp32.exe 32 PID 2884 wrote to memory of 2664 2884 Lfmdnp32.exe 32 PID 2664 wrote to memory of 2568 2664 Lpeifeca.exe 33 PID 2664 wrote to memory of 2568 2664 Lpeifeca.exe 33 PID 2664 wrote to memory of 2568 2664 Lpeifeca.exe 33 PID 2664 wrote to memory of 2568 2664 Lpeifeca.exe 33 PID 2568 wrote to memory of 2480 2568 Lhlqhb32.exe 34 PID 2568 wrote to memory of 2480 2568 Lhlqhb32.exe 34 PID 2568 wrote to memory of 2480 2568 Lhlqhb32.exe 34 PID 2568 wrote to memory of 2480 2568 Lhlqhb32.exe 34 PID 2480 wrote to memory of 3036 2480 Ladeqhjd.exe 35 PID 2480 wrote to memory of 3036 2480 Ladeqhjd.exe 35 PID 2480 wrote to memory of 3036 2480 Ladeqhjd.exe 35 PID 2480 wrote to memory of 3036 2480 Ladeqhjd.exe 35 PID 3036 wrote to memory of 2060 3036 Ldcamcih.exe 36 PID 3036 wrote to memory of 2060 3036 Ldcamcih.exe 36 PID 3036 wrote to memory of 2060 3036 Ldcamcih.exe 36 PID 3036 wrote to memory of 2060 3036 Ldcamcih.exe 36 PID 2060 wrote to memory of 1960 2060 Lipjejgp.exe 37 PID 2060 wrote to memory of 1960 2060 Lipjejgp.exe 37 PID 2060 wrote to memory of 1960 2060 Lipjejgp.exe 37 PID 2060 wrote to memory of 1960 2060 Lipjejgp.exe 37 PID 1960 wrote to memory of 2512 1960 Llnfaffc.exe 38 PID 1960 wrote to memory of 2512 1960 Llnfaffc.exe 38 PID 1960 wrote to memory of 2512 1960 Llnfaffc.exe 38 PID 1960 wrote to memory of 2512 1960 Llnfaffc.exe 38 PID 2512 wrote to memory of 1656 2512 Lefkjkmc.exe 39 PID 2512 wrote to memory of 1656 2512 Lefkjkmc.exe 39 PID 2512 wrote to memory of 1656 2512 Lefkjkmc.exe 39 PID 2512 wrote to memory of 1656 2512 Lefkjkmc.exe 39 PID 1656 wrote to memory of 1564 1656 Lmnbkinf.exe 40 PID 1656 wrote to memory of 1564 1656 Lmnbkinf.exe 40 PID 1656 wrote to memory of 1564 1656 Lmnbkinf.exe 40 PID 1656 wrote to memory of 1564 1656 Lmnbkinf.exe 40 PID 1564 wrote to memory of 1772 1564 Loooca32.exe 41 PID 1564 wrote to memory of 1772 1564 Loooca32.exe 41 PID 1564 wrote to memory of 1772 1564 Loooca32.exe 41 PID 1564 wrote to memory of 1772 1564 Loooca32.exe 41 PID 1772 wrote to memory of 2504 1772 Mgfgdn32.exe 42 PID 1772 wrote to memory of 2504 1772 Mgfgdn32.exe 42 PID 1772 wrote to memory of 2504 1772 Mgfgdn32.exe 42 PID 1772 wrote to memory of 2504 1772 Mgfgdn32.exe 42 PID 2504 wrote to memory of 2108 2504 Mhgclfje.exe 43 PID 2504 wrote to memory of 2108 2504 Mhgclfje.exe 43 PID 2504 wrote to memory of 2108 2504 Mhgclfje.exe 43 PID 2504 wrote to memory of 2108 2504 Mhgclfje.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\716032d99841a2cbf9c5f161f2e9028e3891fd2b492fdc7ae5cffbea2c11894e_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe35⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe36⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe37⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe39⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe42⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe43⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe44⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe45⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe46⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe47⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe48⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe49⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe51⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe53⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe54⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe55⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe59⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe60⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe62⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe63⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe66⤵PID:576
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe67⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe69⤵PID:2384
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe70⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe71⤵PID:1508
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe73⤵PID:2832
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe74⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe75⤵PID:2576
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe76⤵PID:2348
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe77⤵PID:856
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe78⤵PID:2824
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe79⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe80⤵PID:316
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe81⤵PID:1180
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe82⤵PID:580
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe83⤵PID:2096
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe84⤵PID:2252
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe85⤵PID:1544
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe86⤵PID:1856
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe87⤵
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe88⤵PID:1156
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe89⤵PID:2800
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2288 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe92⤵PID:2600
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe93⤵PID:340
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe94⤵PID:1220
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe95⤵PID:2156
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe96⤵PID:1956
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe97⤵PID:2116
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe98⤵PID:2068
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe100⤵PID:1948
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe101⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe102⤵PID:2748
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe103⤵PID:2244
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe104⤵PID:1048
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe105⤵PID:1252
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe106⤵PID:2764
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe107⤵PID:2572
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe108⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe109⤵PID:2848
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe110⤵PID:2616
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe112⤵PID:1728
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe113⤵PID:2852
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe114⤵PID:1832
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe115⤵PID:288
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe116⤵PID:2680
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe118⤵PID:1412
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:348 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe120⤵PID:1152
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe121⤵PID:1940
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe122⤵
- Modifies registry class
PID:828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-