Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 22:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe
-
Size
64KB
-
MD5
a417c7af588aead3e6a8bdff016fee00
-
SHA1
801c6ef0a4d40e00fe5611075e9fc75b1cfe63ea
-
SHA256
2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10
-
SHA512
0d74a8b793bc9c9e73130e4eee96f2432467e8cb5b63ac2a0017afe38af610554ae18faa78dbbaa59e2d5c4f8ba411c58078cc678783ddd471b4672329eb4e9a
-
SSDEEP
768:Bn2XUi8rJ7AqNHB2a8bFBhteBEdF2cvWptnIAvp1pwfRp/1H5N6XJ1IwEGp9Thfe:12XUiYJ7/2DDtCtIARoJjGXUwXfzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgpappk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqphi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhknm32.exe -
Executes dropped EXE 64 IoCs
pid Process 2156 Mcmhiojk.exe 2712 Mhjpaf32.exe 2724 Mcodno32.exe 2732 Mlgigdoh.exe 2740 Mepnpj32.exe 2644 Mohbip32.exe 1912 Mdejaf32.exe 2300 Mkobnqan.exe 2524 Nplkfgoe.exe 1596 Ngfcca32.exe 904 Npnhlg32.exe 1700 Njgldmdc.exe 1500 Nfmmin32.exe 2216 Nlgefh32.exe 1080 Nfpjomgd.exe 2552 Nhnfkigh.exe 1016 Nccjhafn.exe 2308 Ohqbqhde.exe 1460 Oojknblb.exe 2348 Onmkio32.exe 1760 Oicpfh32.exe 2324 Oomhcbjp.exe 576 Obkdonic.exe 820 Okchhc32.exe 1176 Onbddoog.exe 1756 Oelmai32.exe 2416 Omgaek32.exe 2440 Oqcnfjli.exe 2720 Ojkboo32.exe 2764 Pphjgfqq.exe 2576 Pmlkpjpj.exe 2592 Paggai32.exe 2580 Pcfcmd32.exe 2628 Piblek32.exe 2544 Pfflopdh.exe 2072 Peiljl32.exe 2800 Pnbacbac.exe 2752 Pelipl32.exe 2784 Phjelg32.exe 2960 Plfamfpm.exe 1608 Pabjem32.exe 1772 Qlhnbf32.exe 2908 Qaefjm32.exe 1892 Qdccfh32.exe 756 Qecoqk32.exe 1744 Ankdiqih.exe 1416 Aajpelhl.exe 2032 Affhncfc.exe 1628 Aiedjneg.exe 1988 Adjigg32.exe 2984 Afiecb32.exe 2172 Aigaon32.exe 2380 Ambmpmln.exe 2780 Apajlhka.exe 2872 Admemg32.exe 2864 Afkbib32.exe 2616 Aiinen32.exe 2104 Ailkjmpo.exe 2444 Ahokfj32.exe 2668 Bpfcgg32.exe 1660 Boiccdnf.exe 2192 Bagpopmj.exe 1676 Bagpopmj.exe 932 Bingpmnl.exe -
Loads dropped DLL 64 IoCs
pid Process 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 2156 Mcmhiojk.exe 2156 Mcmhiojk.exe 2712 Mhjpaf32.exe 2712 Mhjpaf32.exe 2724 Mcodno32.exe 2724 Mcodno32.exe 2732 Mlgigdoh.exe 2732 Mlgigdoh.exe 2740 Mepnpj32.exe 2740 Mepnpj32.exe 2644 Mohbip32.exe 2644 Mohbip32.exe 1912 Mdejaf32.exe 1912 Mdejaf32.exe 2300 Mkobnqan.exe 2300 Mkobnqan.exe 2524 Nplkfgoe.exe 2524 Nplkfgoe.exe 1596 Ngfcca32.exe 1596 Ngfcca32.exe 904 Npnhlg32.exe 904 Npnhlg32.exe 1700 Njgldmdc.exe 1700 Njgldmdc.exe 1500 Nfmmin32.exe 1500 Nfmmin32.exe 2216 Nlgefh32.exe 2216 Nlgefh32.exe 1080 Nfpjomgd.exe 1080 Nfpjomgd.exe 2552 Nhnfkigh.exe 2552 Nhnfkigh.exe 1016 Nccjhafn.exe 1016 Nccjhafn.exe 2308 Ohqbqhde.exe 2308 Ohqbqhde.exe 1460 Oojknblb.exe 1460 Oojknblb.exe 2348 Onmkio32.exe 2348 Onmkio32.exe 1760 Oicpfh32.exe 1760 Oicpfh32.exe 2324 Oomhcbjp.exe 2324 Oomhcbjp.exe 576 Obkdonic.exe 576 Obkdonic.exe 820 Okchhc32.exe 820 Okchhc32.exe 1176 Onbddoog.exe 1176 Onbddoog.exe 1756 Oelmai32.exe 1756 Oelmai32.exe 2416 Omgaek32.exe 2416 Omgaek32.exe 2440 Oqcnfjli.exe 2440 Oqcnfjli.exe 2720 Ojkboo32.exe 2720 Ojkboo32.exe 2764 Pphjgfqq.exe 2764 Pphjgfqq.exe 2576 Pmlkpjpj.exe 2576 Pmlkpjpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ohqbqhde.exe Nccjhafn.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Henidd32.exe File created C:\Windows\SysWOW64\Ikddbj32.exe Iqopea32.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Pmddhkao.dll Bagpopmj.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Jbnhng32.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bpiipf32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hgilchkf.exe File created C:\Windows\SysWOW64\Qlkdkd32.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Mdkmeh32.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Pggbla32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Gellaqbd.dll Cohigamf.exe File created C:\Windows\SysWOW64\Imehcohk.dll Emieil32.exe File created C:\Windows\SysWOW64\Cmmhnnlm.dll Oqcnfjli.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Jejhecaj.exe Jnqphi32.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Egjpkffe.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Loeebl32.exe Llfifq32.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Aipddi32.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Dhbfdjdp.exe Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Fkckeh32.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Odobjg32.exe File created C:\Windows\SysWOW64\Knhfdmdo.dll Afohaa32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Ggpimica.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ombapedi.exe File created C:\Windows\SysWOW64\Dndlim32.exe Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Lefdpe32.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Mhbped32.exe Meccii32.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Kpbbidem.dll Ndkmpe32.exe File created C:\Windows\SysWOW64\Egahmk32.dll Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Ebbgid32.exe Emeopn32.exe File created C:\Windows\SysWOW64\Dcmfoi32.dll Jnqphi32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Kmaled32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4584 4492 WerFault.exe 426 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goedqe32.dll" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhegaocb.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minceo32.dll" Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afohaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeceh32.dll" Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckdanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akodpalp.dll" Kgpjanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgkkllh.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngohf32.dll" Aiedjneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfgpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndbcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bbjbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iokfhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joplbl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2156 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 2156 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 2156 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 2156 2360 2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2712 2156 Mcmhiojk.exe 29 PID 2156 wrote to memory of 2712 2156 Mcmhiojk.exe 29 PID 2156 wrote to memory of 2712 2156 Mcmhiojk.exe 29 PID 2156 wrote to memory of 2712 2156 Mcmhiojk.exe 29 PID 2712 wrote to memory of 2724 2712 Mhjpaf32.exe 30 PID 2712 wrote to memory of 2724 2712 Mhjpaf32.exe 30 PID 2712 wrote to memory of 2724 2712 Mhjpaf32.exe 30 PID 2712 wrote to memory of 2724 2712 Mhjpaf32.exe 30 PID 2724 wrote to memory of 2732 2724 Mcodno32.exe 31 PID 2724 wrote to memory of 2732 2724 Mcodno32.exe 31 PID 2724 wrote to memory of 2732 2724 Mcodno32.exe 31 PID 2724 wrote to memory of 2732 2724 Mcodno32.exe 31 PID 2732 wrote to memory of 2740 2732 Mlgigdoh.exe 32 PID 2732 wrote to memory of 2740 2732 Mlgigdoh.exe 32 PID 2732 wrote to memory of 2740 2732 Mlgigdoh.exe 32 PID 2732 wrote to memory of 2740 2732 Mlgigdoh.exe 32 PID 2740 wrote to memory of 2644 2740 Mepnpj32.exe 33 PID 2740 wrote to memory of 2644 2740 Mepnpj32.exe 33 PID 2740 wrote to memory of 2644 2740 Mepnpj32.exe 33 PID 2740 wrote to memory of 2644 2740 Mepnpj32.exe 33 PID 2644 wrote to memory of 1912 2644 Mohbip32.exe 34 PID 2644 wrote to memory of 1912 2644 Mohbip32.exe 34 PID 2644 wrote to memory of 1912 2644 Mohbip32.exe 34 PID 2644 wrote to memory of 1912 2644 Mohbip32.exe 34 PID 1912 wrote to memory of 2300 1912 Mdejaf32.exe 35 PID 1912 wrote to memory of 2300 1912 Mdejaf32.exe 35 PID 1912 wrote to memory of 2300 1912 Mdejaf32.exe 35 PID 1912 wrote to memory of 2300 1912 Mdejaf32.exe 35 PID 2300 wrote to memory of 2524 2300 Mkobnqan.exe 36 PID 2300 wrote to memory of 2524 2300 Mkobnqan.exe 36 PID 2300 wrote to memory of 2524 2300 Mkobnqan.exe 36 PID 2300 wrote to memory of 2524 2300 Mkobnqan.exe 36 PID 2524 wrote to memory of 1596 2524 Nplkfgoe.exe 37 PID 2524 wrote to memory of 1596 2524 Nplkfgoe.exe 37 PID 2524 wrote to memory of 1596 2524 Nplkfgoe.exe 37 PID 2524 wrote to memory of 1596 2524 Nplkfgoe.exe 37 PID 1596 wrote to memory of 904 1596 Ngfcca32.exe 38 PID 1596 wrote to memory of 904 1596 Ngfcca32.exe 38 PID 1596 wrote to memory of 904 1596 Ngfcca32.exe 38 PID 1596 wrote to memory of 904 1596 Ngfcca32.exe 38 PID 904 wrote to memory of 1700 904 Npnhlg32.exe 39 PID 904 wrote to memory of 1700 904 Npnhlg32.exe 39 PID 904 wrote to memory of 1700 904 Npnhlg32.exe 39 PID 904 wrote to memory of 1700 904 Npnhlg32.exe 39 PID 1700 wrote to memory of 1500 1700 Njgldmdc.exe 40 PID 1700 wrote to memory of 1500 1700 Njgldmdc.exe 40 PID 1700 wrote to memory of 1500 1700 Njgldmdc.exe 40 PID 1700 wrote to memory of 1500 1700 Njgldmdc.exe 40 PID 1500 wrote to memory of 2216 1500 Nfmmin32.exe 41 PID 1500 wrote to memory of 2216 1500 Nfmmin32.exe 41 PID 1500 wrote to memory of 2216 1500 Nfmmin32.exe 41 PID 1500 wrote to memory of 2216 1500 Nfmmin32.exe 41 PID 2216 wrote to memory of 1080 2216 Nlgefh32.exe 42 PID 2216 wrote to memory of 1080 2216 Nlgefh32.exe 42 PID 2216 wrote to memory of 1080 2216 Nlgefh32.exe 42 PID 2216 wrote to memory of 1080 2216 Nlgefh32.exe 42 PID 1080 wrote to memory of 2552 1080 Nfpjomgd.exe 43 PID 1080 wrote to memory of 2552 1080 Nfpjomgd.exe 43 PID 1080 wrote to memory of 2552 1080 Nfpjomgd.exe 43 PID 1080 wrote to memory of 2552 1080 Nfpjomgd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a7e3022d8d9132dfac8f873843867159c9ba7353399fc70e4745699fe886e10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe33⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe36⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe37⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe38⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe39⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe40⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe43⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe44⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe45⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe46⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe47⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe48⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe49⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe51⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe53⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe54⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe55⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe56⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe58⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe59⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe60⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe62⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe63⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe66⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe67⤵PID:2396
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe68⤵PID:532
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe69⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe70⤵PID:860
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe71⤵PID:1504
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe72⤵PID:1252
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe73⤵PID:2496
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe74⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe76⤵PID:2204
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe77⤵PID:2860
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe78⤵PID:1092
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe79⤵PID:2288
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe80⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe81⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe82⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe83⤵PID:1876
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe84⤵PID:1168
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe85⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe86⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:700 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe88⤵PID:840
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe89⤵PID:1548
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe90⤵PID:2760
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe92⤵PID:2564
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe93⤵PID:2692
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe94⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe95⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe96⤵PID:396
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:388 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe100⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe101⤵PID:2384
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe102⤵PID:2500
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe103⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe104⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe105⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe108⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe109⤵PID:2312
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe110⤵PID:1748
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe111⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe112⤵PID:2548
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe113⤵PID:768
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe114⤵
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe116⤵PID:2160
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe117⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe118⤵PID:1420
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe119⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe120⤵
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-