Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 02:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe
-
Size
64KB
-
MD5
6101beb6683a6e706325dafabe63b0e0
-
SHA1
593ed1113189a92e734bc4170ccc78b172604985
-
SHA256
52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1
-
SHA512
5c66e9f6c9791f7fc4c938106b564996f2e1cc9679bbfdaf3d285981fd085639701e05af05e79a1035c80ba926916ee03b3507341f694a96ef53c9382f4e0dc7
-
SSDEEP
1536:clf3c3KX7uk+LlTVH8kkopQXXhcxT+l2LxrDWBi:0fMDRBVHaWlzx2Bi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciifc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdklf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odobjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgidao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncdgcqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe -
Executes dropped EXE 64 IoCs
pid Process 1912 Mcjkcplm.exe 2900 Mlcple32.exe 2688 Mekdekin.exe 2752 Mkhmma32.exe 2672 Menakj32.exe 2572 Mkjica32.exe 2080 Mdcnlglc.exe 2952 Mnkbdlbd.exe 1248 Mhqfbebj.exe 316 Nnnojlpa.exe 816 Ngfcca32.exe 2872 Njdpomfe.exe 1580 Ncmdhb32.exe 2248 Nleiqhcg.exe 1424 Ngkmnacm.exe 684 Nqcagfim.exe 636 Nfpjomgd.exe 556 Njkfpl32.exe 1264 Nhnfkigh.exe 1524 Odegpj32.exe 1576 Onmkio32.exe 1616 Obigjnkf.exe 1640 Ofdcjm32.exe 2624 Onphoo32.exe 1152 Ojficpfn.exe 2856 Ocomlemo.exe 2740 Ogjimd32.exe 2996 Omgaek32.exe 2376 Oenifh32.exe 2128 Ogmfbd32.exe 2588 Pphjgfqq.exe 2656 Pgobhcac.exe 2176 Paggai32.exe 3060 Pcfcmd32.exe 2288 Pfdpip32.exe 1448 Pmnhfjmg.exe 2876 Pbkpna32.exe 2788 Pmqdkj32.exe 2920 Pnbacbac.exe 1532 Plfamfpm.exe 2992 Pabjem32.exe 1252 Qhmbagfa.exe 536 Qjknnbed.exe 1136 Qbbfopeg.exe 2492 Qjmkcbcb.exe 1028 Qmlgonbe.exe 884 Afdlhchf.exe 1540 Ankdiqih.exe 1612 Adhlaggp.exe 2388 Affhncfc.exe 2860 Aiedjneg.exe 1720 Aalmklfi.exe 2756 Adjigg32.exe 2928 Afiecb32.exe 2704 Aigaon32.exe 1788 Alenki32.exe 2912 Admemg32.exe 3052 Afkbib32.exe 2168 Aiinen32.exe 936 Alhjai32.exe 2796 Aoffmd32.exe 1628 Afmonbqk.exe 2244 Aljgfioc.exe 2520 Bpfcgg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 1912 Mcjkcplm.exe 1912 Mcjkcplm.exe 2900 Mlcple32.exe 2900 Mlcple32.exe 2688 Mekdekin.exe 2688 Mekdekin.exe 2752 Mkhmma32.exe 2752 Mkhmma32.exe 2672 Menakj32.exe 2672 Menakj32.exe 2572 Mkjica32.exe 2572 Mkjica32.exe 2080 Mdcnlglc.exe 2080 Mdcnlglc.exe 2952 Mnkbdlbd.exe 2952 Mnkbdlbd.exe 1248 Mhqfbebj.exe 1248 Mhqfbebj.exe 316 Nnnojlpa.exe 316 Nnnojlpa.exe 816 Ngfcca32.exe 816 Ngfcca32.exe 2872 Njdpomfe.exe 2872 Njdpomfe.exe 1580 Ncmdhb32.exe 1580 Ncmdhb32.exe 2248 Nleiqhcg.exe 2248 Nleiqhcg.exe 1424 Ngkmnacm.exe 1424 Ngkmnacm.exe 684 Nqcagfim.exe 684 Nqcagfim.exe 636 Nfpjomgd.exe 636 Nfpjomgd.exe 556 Njkfpl32.exe 556 Njkfpl32.exe 1264 Nhnfkigh.exe 1264 Nhnfkigh.exe 1524 Odegpj32.exe 1524 Odegpj32.exe 1576 Onmkio32.exe 1576 Onmkio32.exe 1616 Obigjnkf.exe 1616 Obigjnkf.exe 1640 Ofdcjm32.exe 1640 Ofdcjm32.exe 2624 Onphoo32.exe 2624 Onphoo32.exe 1152 Ojficpfn.exe 1152 Ojficpfn.exe 2856 Ocomlemo.exe 2856 Ocomlemo.exe 2740 Ogjimd32.exe 2740 Ogjimd32.exe 2996 Omgaek32.exe 2996 Omgaek32.exe 2376 Oenifh32.exe 2376 Oenifh32.exe 2128 Ogmfbd32.exe 2128 Ogmfbd32.exe 2588 Pphjgfqq.exe 2588 Pphjgfqq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Lclnemgd.exe File created C:\Windows\SysWOW64\Qfjnod32.dll Cddaphkn.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Idcokkak.exe Illgimph.exe File created C:\Windows\SysWOW64\Iapebchh.exe Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Kbdklf32.exe Kcakaipc.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Gdjpeifj.exe Gpncej32.exe File created C:\Windows\SysWOW64\Gpgmpikn.dll Homclekn.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Bdooajdc.exe Baqbenep.exe File created C:\Windows\SysWOW64\Pkjapnke.dll Dkhcmgnl.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Eeempocb.exe Eajaoq32.exe File created C:\Windows\SysWOW64\Bleago32.dll Ihdkao32.exe File created C:\Windows\SysWOW64\Knlafm32.dll Omdneebf.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Piphee32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Nodgel32.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Hhbabqdh.dll Ncmdhb32.exe File created C:\Windows\SysWOW64\Dkmcgmjk.dll Ojahnj32.exe File created C:\Windows\SysWOW64\Qedhdjnh.exe Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Oenifh32.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ecmkghcl.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fljafg32.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Amkoie32.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Hedocp32.exe Hbfbgd32.exe File created C:\Windows\SysWOW64\Jhnaid32.dll Qjknnbed.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Efaibbij.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Ojiich32.dll Onphoo32.exe File created C:\Windows\SysWOW64\Fioeja32.dll Ocimgp32.exe File opened for modification C:\Windows\SysWOW64\Icfofg32.exe Idcokkak.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Pabjem32.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Copeil32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Njfppiho.dll Mlcbenjb.exe File created C:\Windows\SysWOW64\Eicieohp.dll Ikhjki32.exe File opened for modification C:\Windows\SysWOW64\Kkjcplpa.exe Kjifhc32.exe File created C:\Windows\SysWOW64\Mdcnlglc.exe Mkjica32.exe File created C:\Windows\SysWOW64\Ngkmnacm.exe Nleiqhcg.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File created C:\Windows\SysWOW64\Ihgainbg.exe Ieidmbcc.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Ofdcjm32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Maoajf32.exe File created C:\Windows\SysWOW64\Fpngfgle.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Jjojofgn.exe Jbgbni32.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Keanebkb.exe File opened for modification C:\Windows\SysWOW64\Melfncqb.exe Mbmjah32.exe File created C:\Windows\SysWOW64\Mdkqqa32.exe Mmahdggc.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Ijeghgoh.exe File created C:\Windows\SysWOW64\Pjadmnic.exe Pgbhabjp.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Niifne32.dll Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qabcjgkh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbifehk.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaibbij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifjqh32.dll" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcampgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll" Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dlnbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfpgj32.dll" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfiale32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddokpmfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoladf32.dll" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqmicng.dll" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Lfdmggnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbelgood.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1912 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1912 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1912 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 1912 2220 52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe 28 PID 1912 wrote to memory of 2900 1912 Mcjkcplm.exe 29 PID 1912 wrote to memory of 2900 1912 Mcjkcplm.exe 29 PID 1912 wrote to memory of 2900 1912 Mcjkcplm.exe 29 PID 1912 wrote to memory of 2900 1912 Mcjkcplm.exe 29 PID 2900 wrote to memory of 2688 2900 Mlcple32.exe 30 PID 2900 wrote to memory of 2688 2900 Mlcple32.exe 30 PID 2900 wrote to memory of 2688 2900 Mlcple32.exe 30 PID 2900 wrote to memory of 2688 2900 Mlcple32.exe 30 PID 2688 wrote to memory of 2752 2688 Mekdekin.exe 31 PID 2688 wrote to memory of 2752 2688 Mekdekin.exe 31 PID 2688 wrote to memory of 2752 2688 Mekdekin.exe 31 PID 2688 wrote to memory of 2752 2688 Mekdekin.exe 31 PID 2752 wrote to memory of 2672 2752 Mkhmma32.exe 32 PID 2752 wrote to memory of 2672 2752 Mkhmma32.exe 32 PID 2752 wrote to memory of 2672 2752 Mkhmma32.exe 32 PID 2752 wrote to memory of 2672 2752 Mkhmma32.exe 32 PID 2672 wrote to memory of 2572 2672 Menakj32.exe 33 PID 2672 wrote to memory of 2572 2672 Menakj32.exe 33 PID 2672 wrote to memory of 2572 2672 Menakj32.exe 33 PID 2672 wrote to memory of 2572 2672 Menakj32.exe 33 PID 2572 wrote to memory of 2080 2572 Mkjica32.exe 34 PID 2572 wrote to memory of 2080 2572 Mkjica32.exe 34 PID 2572 wrote to memory of 2080 2572 Mkjica32.exe 34 PID 2572 wrote to memory of 2080 2572 Mkjica32.exe 34 PID 2080 wrote to memory of 2952 2080 Mdcnlglc.exe 35 PID 2080 wrote to memory of 2952 2080 Mdcnlglc.exe 35 PID 2080 wrote to memory of 2952 2080 Mdcnlglc.exe 35 PID 2080 wrote to memory of 2952 2080 Mdcnlglc.exe 35 PID 2952 wrote to memory of 1248 2952 Mnkbdlbd.exe 36 PID 2952 wrote to memory of 1248 2952 Mnkbdlbd.exe 36 PID 2952 wrote to memory of 1248 2952 Mnkbdlbd.exe 36 PID 2952 wrote to memory of 1248 2952 Mnkbdlbd.exe 36 PID 1248 wrote to memory of 316 1248 Mhqfbebj.exe 37 PID 1248 wrote to memory of 316 1248 Mhqfbebj.exe 37 PID 1248 wrote to memory of 316 1248 Mhqfbebj.exe 37 PID 1248 wrote to memory of 316 1248 Mhqfbebj.exe 37 PID 316 wrote to memory of 816 316 Nnnojlpa.exe 38 PID 316 wrote to memory of 816 316 Nnnojlpa.exe 38 PID 316 wrote to memory of 816 316 Nnnojlpa.exe 38 PID 316 wrote to memory of 816 316 Nnnojlpa.exe 38 PID 816 wrote to memory of 2872 816 Ngfcca32.exe 39 PID 816 wrote to memory of 2872 816 Ngfcca32.exe 39 PID 816 wrote to memory of 2872 816 Ngfcca32.exe 39 PID 816 wrote to memory of 2872 816 Ngfcca32.exe 39 PID 2872 wrote to memory of 1580 2872 Njdpomfe.exe 40 PID 2872 wrote to memory of 1580 2872 Njdpomfe.exe 40 PID 2872 wrote to memory of 1580 2872 Njdpomfe.exe 40 PID 2872 wrote to memory of 1580 2872 Njdpomfe.exe 40 PID 1580 wrote to memory of 2248 1580 Ncmdhb32.exe 41 PID 1580 wrote to memory of 2248 1580 Ncmdhb32.exe 41 PID 1580 wrote to memory of 2248 1580 Ncmdhb32.exe 41 PID 1580 wrote to memory of 2248 1580 Ncmdhb32.exe 41 PID 2248 wrote to memory of 1424 2248 Nleiqhcg.exe 42 PID 2248 wrote to memory of 1424 2248 Nleiqhcg.exe 42 PID 2248 wrote to memory of 1424 2248 Nleiqhcg.exe 42 PID 2248 wrote to memory of 1424 2248 Nleiqhcg.exe 42 PID 1424 wrote to memory of 684 1424 Ngkmnacm.exe 43 PID 1424 wrote to memory of 684 1424 Ngkmnacm.exe 43 PID 1424 wrote to memory of 684 1424 Ngkmnacm.exe 43 PID 1424 wrote to memory of 684 1424 Ngkmnacm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\52bf68ff9aaf6653cd80e66ed081c84180a64fb6068d27f118cd522cec4cb8c1_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe33⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe34⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe37⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe38⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe39⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe40⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe42⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe43⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe45⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe47⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe50⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe51⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe52⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe53⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe55⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe56⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe57⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe59⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe60⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe61⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe62⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe63⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe64⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe67⤵PID:1164
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe69⤵PID:2332
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe70⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2224 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe73⤵PID:2908
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe74⤵PID:2984
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe75⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe77⤵PID:2848
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1140 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe79⤵PID:2868
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe81⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe82⤵PID:2924
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe84⤵PID:792
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe85⤵PID:1500
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe87⤵PID:1820
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe88⤵PID:2144
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe89⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe91⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe92⤵PID:2576
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe93⤵PID:2844
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe94⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe96⤵PID:2792
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe97⤵PID:2628
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe98⤵PID:2008
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe99⤵PID:1644
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe100⤵PID:3008
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe101⤵PID:2064
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe102⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe103⤵PID:2368
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe104⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe105⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe106⤵PID:1924
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe107⤵PID:2768
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe109⤵PID:2600
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe110⤵PID:1704
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe111⤵PID:2608
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe112⤵PID:848
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe113⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe115⤵PID:1192
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe116⤵PID:2088
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe117⤵PID:988
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe118⤵PID:2040
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe119⤵PID:2680
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe120⤵PID:2668
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe121⤵PID:2552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-