Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 06:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe
-
Size
72KB
-
MD5
a117c6cd25f370381bfcd86ce981e810
-
SHA1
a13d1797772ac0aa11b8f2b813aab5fa9d36c14b
-
SHA256
7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728
-
SHA512
296b118d4d79b6fa1c9e4347e4cf9a642f827b3db7c03a02d7052917721a87494b8c4053a6166e90416e5d78b6c6b9f84c3fc131977c834ded5c65f507484d63
-
SSDEEP
1536:Wgh36PNAjqYJK3Y6b1PuogzSBmIZ0aH9RQjDbEyRCRRRoR4Rk4:Wu36KJyvbFuoJms9eTEy032ya4
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocgpappk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmcbbki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjcplpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Habfipdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeigofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkpegi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2860 Jcgogk32.exe 1564 Jnqphi32.exe 2632 Jkdpanhg.exe 3052 Jbnhng32.exe 2748 Kkgmgmfd.exe 2412 Kbqecg32.exe 2464 Kaceodek.exe 2652 Kjljhjkl.exe 2708 Keanebkb.exe 1808 Kjnfniii.exe 2000 Kpkofpgq.exe 344 Kjqccigf.exe 1484 Kblhgk32.exe 2344 Kifpdelo.exe 2300 Lpphap32.exe 2392 Lemaif32.exe 452 Leonofpp.exe 2136 Lhmjkaoc.exe 1496 Lliflp32.exe 2148 Leajdfnm.exe 1920 Lhpfqama.exe 904 Llkbap32.exe 2188 Lkncmmle.exe 1452 Lahkigca.exe 872 Lmolnh32.exe 2964 Mggpgmof.exe 2864 Mamddf32.exe 2316 Mhgmapfi.exe 2620 Mdmmfa32.exe 2420 Mgljbm32.exe 2780 Mlibjc32.exe 2468 Mcbjgn32.exe 2900 Mlkopcge.exe 1188 Miooigfo.exe 2760 Mlmlecec.exe 2880 Mpigfa32.exe 2028 Nhdlkdkg.exe 2044 Nlphkb32.exe 324 Namqci32.exe 1872 Ndkmpe32.exe 296 Noqamn32.exe 2820 Nkgbbo32.exe 2892 Nnennj32.exe 2128 Nkiogn32.exe 1740 Nnhkcj32.exe 952 Ngpolo32.exe 1936 Oddpfc32.exe 1368 Ocgpappk.exe 1248 Ocgpappk.exe 2184 Ogblbo32.exe 2348 Ofelmloo.exe 1696 Olpdjf32.exe 2600 Oqkqkdne.exe 2560 Ogeigofa.exe 2552 Ofhick32.exe 2584 Ombapedi.exe 2488 Oopnlacm.exe 2920 Oclilp32.exe 2740 Obojhlbq.exe 2784 Ojfaijcc.exe 2388 Ohibdf32.exe 760 Omdneebf.exe 1900 Ocnfbo32.exe 1688 Obafnlpn.exe -
Loads dropped DLL 64 IoCs
pid Process 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 2860 Jcgogk32.exe 2860 Jcgogk32.exe 1564 Jnqphi32.exe 1564 Jnqphi32.exe 2632 Jkdpanhg.exe 2632 Jkdpanhg.exe 3052 Jbnhng32.exe 3052 Jbnhng32.exe 2748 Kkgmgmfd.exe 2748 Kkgmgmfd.exe 2412 Kbqecg32.exe 2412 Kbqecg32.exe 2464 Kaceodek.exe 2464 Kaceodek.exe 2652 Kjljhjkl.exe 2652 Kjljhjkl.exe 2708 Keanebkb.exe 2708 Keanebkb.exe 1808 Kjnfniii.exe 1808 Kjnfniii.exe 2000 Kpkofpgq.exe 2000 Kpkofpgq.exe 344 Kjqccigf.exe 344 Kjqccigf.exe 1484 Kblhgk32.exe 1484 Kblhgk32.exe 2344 Kifpdelo.exe 2344 Kifpdelo.exe 2300 Lpphap32.exe 2300 Lpphap32.exe 2392 Lemaif32.exe 2392 Lemaif32.exe 452 Leonofpp.exe 452 Leonofpp.exe 2136 Lhmjkaoc.exe 2136 Lhmjkaoc.exe 1496 Lliflp32.exe 1496 Lliflp32.exe 2148 Leajdfnm.exe 2148 Leajdfnm.exe 1920 Lhpfqama.exe 1920 Lhpfqama.exe 904 Llkbap32.exe 904 Llkbap32.exe 2188 Lkncmmle.exe 2188 Lkncmmle.exe 1452 Lahkigca.exe 1452 Lahkigca.exe 872 Lmolnh32.exe 872 Lmolnh32.exe 2964 Mggpgmof.exe 2964 Mggpgmof.exe 2864 Mamddf32.exe 2864 Mamddf32.exe 2316 Mhgmapfi.exe 2316 Mhgmapfi.exe 2620 Mdmmfa32.exe 2620 Mdmmfa32.exe 2420 Mgljbm32.exe 2420 Mgljbm32.exe 2780 Mlibjc32.exe 2780 Mlibjc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogeigofa.exe Oqkqkdne.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Ffhpbacb.exe File opened for modification C:\Windows\SysWOW64\Endhhp32.exe Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Kjqccigf.exe Kpkofpgq.exe File created C:\Windows\SysWOW64\Pjhknm32.exe Pgioaa32.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Ifkacb32.exe Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Kohkfj32.exe Kmjojo32.exe File created C:\Windows\SysWOW64\Lmnppf32.dll Niebhf32.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Anafhopc.exe Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Gikaio32.exe Gbaileio.exe File created C:\Windows\SysWOW64\Oqkqkdne.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Migbnb32.exe Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Jkdpanhg.exe Jnqphi32.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Haiccald.exe Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Icjhagdp.exe Ioolqh32.exe File created C:\Windows\SysWOW64\Kneagg32.dll Fhqbkhch.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mamddf32.exe File created C:\Windows\SysWOW64\Boqbfb32.exe Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Bifgdk32.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Mmldme32.exe Mgalqkbk.exe File created C:\Windows\SysWOW64\Hoamnbaf.dll Kjnfniii.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Hanlnp32.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Qpecfc32.exe Qmfgjh32.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Djhphncm.exe Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Fhqbkhch.exe Fjmaaddo.exe File created C:\Windows\SysWOW64\Hdnepk32.exe Hoamgd32.exe File created C:\Windows\SysWOW64\Mholen32.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Leajdfnm.exe Lliflp32.exe File created C:\Windows\SysWOW64\Bnilfo32.dll Pnajilng.exe File created C:\Windows\SysWOW64\Jneohcll.dll Ajhgmpfg.exe File created C:\Windows\SysWOW64\Qffmipmp.dll Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hmfjha32.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Mpigfa32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Ckafbbph.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Hlqdei32.exe Hakphqja.exe File opened for modification C:\Windows\SysWOW64\Hdqbekcm.exe Habfipdj.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Lpekon32.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mofglh32.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ofhick32.exe File created C:\Windows\SysWOW64\Icjhagdp.exe Ioolqh32.exe File created C:\Windows\SysWOW64\Fhhmapcq.dll Lbfdaigg.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Cclkfdnc.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Jdgdempa.exe Jkoplhip.exe File created C:\Windows\SysWOW64\Dkqmaqbm.dll Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Gabqfggi.dll Lndohedg.exe File opened for modification C:\Windows\SysWOW64\Miooigfo.exe Mlkopcge.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Ioolqh32.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Gjfdhbld.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kkolkk32.exe File created C:\Windows\SysWOW64\Opdnhdpo.dll Leljop32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4508 4484 WerFault.exe 353 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjlion.dll" Gohjaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Djhphncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmdadnkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fikejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algdlcdm.dll" Gjakmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdffl32.dll" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Obafnlpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gjdhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffmipmp.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndkpj32.dll" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll" Hdqbekcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnipnaf.dll" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneagg32.dll" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2860 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 28 PID 2676 wrote to memory of 2860 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 28 PID 2676 wrote to memory of 2860 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 28 PID 2676 wrote to memory of 2860 2676 7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 1564 2860 Jcgogk32.exe 29 PID 2860 wrote to memory of 1564 2860 Jcgogk32.exe 29 PID 2860 wrote to memory of 1564 2860 Jcgogk32.exe 29 PID 2860 wrote to memory of 1564 2860 Jcgogk32.exe 29 PID 1564 wrote to memory of 2632 1564 Jnqphi32.exe 30 PID 1564 wrote to memory of 2632 1564 Jnqphi32.exe 30 PID 1564 wrote to memory of 2632 1564 Jnqphi32.exe 30 PID 1564 wrote to memory of 2632 1564 Jnqphi32.exe 30 PID 2632 wrote to memory of 3052 2632 Jkdpanhg.exe 31 PID 2632 wrote to memory of 3052 2632 Jkdpanhg.exe 31 PID 2632 wrote to memory of 3052 2632 Jkdpanhg.exe 31 PID 2632 wrote to memory of 3052 2632 Jkdpanhg.exe 31 PID 3052 wrote to memory of 2748 3052 Jbnhng32.exe 32 PID 3052 wrote to memory of 2748 3052 Jbnhng32.exe 32 PID 3052 wrote to memory of 2748 3052 Jbnhng32.exe 32 PID 3052 wrote to memory of 2748 3052 Jbnhng32.exe 32 PID 2748 wrote to memory of 2412 2748 Kkgmgmfd.exe 33 PID 2748 wrote to memory of 2412 2748 Kkgmgmfd.exe 33 PID 2748 wrote to memory of 2412 2748 Kkgmgmfd.exe 33 PID 2748 wrote to memory of 2412 2748 Kkgmgmfd.exe 33 PID 2412 wrote to memory of 2464 2412 Kbqecg32.exe 34 PID 2412 wrote to memory of 2464 2412 Kbqecg32.exe 34 PID 2412 wrote to memory of 2464 2412 Kbqecg32.exe 34 PID 2412 wrote to memory of 2464 2412 Kbqecg32.exe 34 PID 2464 wrote to memory of 2652 2464 Kaceodek.exe 35 PID 2464 wrote to memory of 2652 2464 Kaceodek.exe 35 PID 2464 wrote to memory of 2652 2464 Kaceodek.exe 35 PID 2464 wrote to memory of 2652 2464 Kaceodek.exe 35 PID 2652 wrote to memory of 2708 2652 Kjljhjkl.exe 36 PID 2652 wrote to memory of 2708 2652 Kjljhjkl.exe 36 PID 2652 wrote to memory of 2708 2652 Kjljhjkl.exe 36 PID 2652 wrote to memory of 2708 2652 Kjljhjkl.exe 36 PID 2708 wrote to memory of 1808 2708 Keanebkb.exe 37 PID 2708 wrote to memory of 1808 2708 Keanebkb.exe 37 PID 2708 wrote to memory of 1808 2708 Keanebkb.exe 37 PID 2708 wrote to memory of 1808 2708 Keanebkb.exe 37 PID 1808 wrote to memory of 2000 1808 Kjnfniii.exe 38 PID 1808 wrote to memory of 2000 1808 Kjnfniii.exe 38 PID 1808 wrote to memory of 2000 1808 Kjnfniii.exe 38 PID 1808 wrote to memory of 2000 1808 Kjnfniii.exe 38 PID 2000 wrote to memory of 344 2000 Kpkofpgq.exe 39 PID 2000 wrote to memory of 344 2000 Kpkofpgq.exe 39 PID 2000 wrote to memory of 344 2000 Kpkofpgq.exe 39 PID 2000 wrote to memory of 344 2000 Kpkofpgq.exe 39 PID 344 wrote to memory of 1484 344 Kjqccigf.exe 40 PID 344 wrote to memory of 1484 344 Kjqccigf.exe 40 PID 344 wrote to memory of 1484 344 Kjqccigf.exe 40 PID 344 wrote to memory of 1484 344 Kjqccigf.exe 40 PID 1484 wrote to memory of 2344 1484 Kblhgk32.exe 41 PID 1484 wrote to memory of 2344 1484 Kblhgk32.exe 41 PID 1484 wrote to memory of 2344 1484 Kblhgk32.exe 41 PID 1484 wrote to memory of 2344 1484 Kblhgk32.exe 41 PID 2344 wrote to memory of 2300 2344 Kifpdelo.exe 42 PID 2344 wrote to memory of 2300 2344 Kifpdelo.exe 42 PID 2344 wrote to memory of 2300 2344 Kifpdelo.exe 42 PID 2344 wrote to memory of 2300 2344 Kifpdelo.exe 42 PID 2300 wrote to memory of 2392 2300 Lpphap32.exe 43 PID 2300 wrote to memory of 2392 2300 Lpphap32.exe 43 PID 2300 wrote to memory of 2392 2300 Lpphap32.exe 43 PID 2300 wrote to memory of 2392 2300 Lpphap32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7555d6c3ab176240824051dd58707f5f1879bee10975b3bbdb1c04602e064728_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe39⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe41⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe42⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe44⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe45⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe46⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe47⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe48⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe51⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe52⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe57⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe58⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe59⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe60⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe62⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe63⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe64⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe66⤵PID:2808
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe67⤵
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe68⤵PID:1220
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe70⤵PID:932
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe71⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe72⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe74⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe75⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe76⤵PID:2020
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe77⤵PID:2424
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe78⤵PID:2688
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe79⤵PID:2032
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe82⤵PID:1800
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe83⤵PID:1376
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe84⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe85⤵PID:2112
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe87⤵PID:1692
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe88⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe89⤵PID:1876
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe90⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe91⤵PID:2744
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe92⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe93⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe95⤵PID:1508
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe96⤵PID:2296
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe97⤵PID:1604
-
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe98⤵PID:1812
-
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe99⤵PID:1704
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe100⤵PID:2792
-
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe101⤵PID:1744
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe103⤵PID:2668
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe105⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe106⤵PID:2752
-
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe108⤵PID:2400
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe110⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe111⤵PID:2140
-
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe113⤵PID:2016
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe114⤵PID:2340
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe115⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe116⤵PID:2904
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe117⤵PID:2680
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe118⤵PID:1640
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe119⤵PID:2472
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe120⤵PID:2124
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-