Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 18:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
-
Size
96KB
-
MD5
13b418855aed517fd502580c752ffdf0
-
SHA1
81ddb174063bfb22a43b745c6ceed75e6187d5c4
-
SHA256
b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9
-
SHA512
c3b235c7c588892036594f4060fe9a4adc8710f348dc0f78da27b991d1946776410099e9f068343b9504030ffe2e75c2de25e247796a19d622c9bfdf2c5ec586
-
SSDEEP
1536:+G/CfdbORrwTUZtXQCmk2L3ZS/FCb4noaJSNzJO/:JCUtXQCm93ZSs4noakXO/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laplei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfpjomgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnojlpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkjkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfjbgmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdcjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe -
Executes dropped EXE 64 IoCs
pid Process 1628 Lhggmchi.exe 2076 Laplei32.exe 2572 Lkhpnnej.exe 2648 Lmgmjjdn.exe 2544 Ldqegd32.exe 2376 Lkkmdn32.exe 2920 Lpgele32.exe 304 Lbfahp32.exe 1328 Lmkfei32.exe 1868 Lpjbad32.exe 1864 Lefkjkmc.exe 1844 Llqcfe32.exe 1840 Mgfgdn32.exe 1380 Mhgclfje.exe 2696 Maphdl32.exe 2032 Migpeiag.exe 536 Mcodno32.exe 2180 Menakj32.exe 2676 Mlgigdoh.exe 2328 Mofecpnl.exe 2924 Mnieom32.exe 2868 Mhnjle32.exe 652 Mohbip32.exe 2064 Mnkbdlbd.exe 268 Mkobnqan.exe 1588 Nnnojlpa.exe 1332 Nplkfgoe.exe 1684 Nkaocp32.exe 2144 Npnhlg32.exe 2976 Nghphaeo.exe 2372 Njgldmdc.exe 2388 Nocemcbj.exe 2528 Nfmmin32.exe 2416 Nhlifi32.exe 1216 Nfpjomgd.exe 1948 Nhnfkigh.exe 1856 Nbfjdn32.exe 1912 Odegpj32.exe 1012 Oojknblb.exe 1848 Ofdcjm32.exe 1508 Ogfpbeim.exe 1664 Okalbc32.exe 604 Oghlgdgk.exe 1172 Ojficpfn.exe 2948 Onbddoog.exe 828 Ogjimd32.exe 1268 Oqcnfjli.exe 1764 Ogmfbd32.exe 552 Paejki32.exe 3060 Pccfge32.exe 2876 Pfbccp32.exe 2040 Pmlkpjpj.exe 1108 Ppjglfon.exe 1232 Pbiciana.exe 2636 Pjpkjond.exe 2488 Pmnhfjmg.exe 2632 Ppmdbe32.exe 2396 Pfflopdh.exe 1820 Peiljl32.exe 2836 Pmqdkj32.exe 2272 Ppoqge32.exe 1560 Pfiidobe.exe 1760 Pelipl32.exe 1612 Phjelg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 1628 Lhggmchi.exe 1628 Lhggmchi.exe 2076 Laplei32.exe 2076 Laplei32.exe 2572 Lkhpnnej.exe 2572 Lkhpnnej.exe 2648 Lmgmjjdn.exe 2648 Lmgmjjdn.exe 2544 Ldqegd32.exe 2544 Ldqegd32.exe 2376 Lkkmdn32.exe 2376 Lkkmdn32.exe 2920 Lpgele32.exe 2920 Lpgele32.exe 304 Lbfahp32.exe 304 Lbfahp32.exe 1328 Lmkfei32.exe 1328 Lmkfei32.exe 1868 Lpjbad32.exe 1868 Lpjbad32.exe 1864 Lefkjkmc.exe 1864 Lefkjkmc.exe 1844 Llqcfe32.exe 1844 Llqcfe32.exe 1840 Mgfgdn32.exe 1840 Mgfgdn32.exe 1380 Mhgclfje.exe 1380 Mhgclfje.exe 2696 Maphdl32.exe 2696 Maphdl32.exe 2032 Migpeiag.exe 2032 Migpeiag.exe 536 Mcodno32.exe 536 Mcodno32.exe 2180 Menakj32.exe 2180 Menakj32.exe 2676 Mlgigdoh.exe 2676 Mlgigdoh.exe 2328 Mofecpnl.exe 2328 Mofecpnl.exe 2924 Mnieom32.exe 2924 Mnieom32.exe 2868 Mhnjle32.exe 2868 Mhnjle32.exe 652 Mohbip32.exe 652 Mohbip32.exe 2064 Mnkbdlbd.exe 2064 Mnkbdlbd.exe 268 Mkobnqan.exe 268 Mkobnqan.exe 1588 Nnnojlpa.exe 1588 Nnnojlpa.exe 1332 Nplkfgoe.exe 1332 Nplkfgoe.exe 1684 Nkaocp32.exe 1684 Nkaocp32.exe 2144 Npnhlg32.exe 2144 Npnhlg32.exe 2976 Nghphaeo.exe 2976 Nghphaeo.exe 2372 Njgldmdc.exe 2372 Njgldmdc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okalbc32.exe Ogfpbeim.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Coklgg32.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Fpdhklkl.exe File created C:\Windows\SysWOW64\Hnempl32.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Fckjalhj.exe Fehjeo32.exe File created C:\Windows\SysWOW64\Cojiha32.dll Qhmbagfa.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qljkhe32.exe File opened for modification C:\Windows\SysWOW64\Alenki32.exe Ambmpmln.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File created C:\Windows\SysWOW64\Lilchoah.dll Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Hlcgeo32.exe Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Mhgclfje.exe Mgfgdn32.exe File opened for modification C:\Windows\SysWOW64\Migpeiag.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Mkobnqan.exe Mnkbdlbd.exe File created C:\Windows\SysWOW64\Hleajblp.dll Aenbdoii.exe File created C:\Windows\SysWOW64\Alhjai32.exe Amejeljk.exe File created C:\Windows\SysWOW64\Eijcpoac.exe Eflgccbp.exe File created C:\Windows\SysWOW64\Gbifnpmn.dll Lhggmchi.exe File created C:\Windows\SysWOW64\Ccdlbf32.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Dmoipopd.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Lefkjkmc.exe Lpjbad32.exe File opened for modification C:\Windows\SysWOW64\Onbddoog.exe Ojficpfn.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File opened for modification C:\Windows\SysWOW64\Beehencq.exe Baildokg.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Lpgele32.exe Lkkmdn32.exe File created C:\Windows\SysWOW64\Agkjoj32.dll Mohbip32.exe File created C:\Windows\SysWOW64\Cgmkmecg.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Cciemedf.exe Clomqk32.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Ebhepm32.dll Nkaocp32.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pelipl32.exe File created C:\Windows\SysWOW64\Imhjppim.dll Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Gacpdbej.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pfflopdh.exe File opened for modification C:\Windows\SysWOW64\Bokphdld.exe Bkodhe32.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Enihne32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Adhlaggp.exe Aplpai32.exe File created C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe Enkece32.exe File created C:\Windows\SysWOW64\Fjlhneio.exe Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Ghoegl32.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Pjholl32.dll Nocemcbj.exe File created C:\Windows\SysWOW64\Affhncfc.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Afiecb32.exe File created C:\Windows\SysWOW64\Alihbgdo.dll Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Faokjpfd.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Eliele32.dll Mnieom32.exe File opened for modification C:\Windows\SysWOW64\Qnfjna32.exe Qhmbagfa.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hiekid32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3844 3824 WerFault.exe 258 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enihne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" Ilknfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojficpfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmddhkao.dll" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkhqdcam.dll" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiccdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhemi32.dll" Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkkmdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiedkadc.dll" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnbpqb32.dll" Baildokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddeaalpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekchhcnp.dll" Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Qhmbagfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgeaj32.dll" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimcgn32.dll" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgmjjdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amclfbco.dll" Lbfahp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocemcbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Emhlfmgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hellne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1628 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1628 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1628 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 28 PID 1700 wrote to memory of 1628 1700 b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe 28 PID 1628 wrote to memory of 2076 1628 Lhggmchi.exe 29 PID 1628 wrote to memory of 2076 1628 Lhggmchi.exe 29 PID 1628 wrote to memory of 2076 1628 Lhggmchi.exe 29 PID 1628 wrote to memory of 2076 1628 Lhggmchi.exe 29 PID 2076 wrote to memory of 2572 2076 Laplei32.exe 30 PID 2076 wrote to memory of 2572 2076 Laplei32.exe 30 PID 2076 wrote to memory of 2572 2076 Laplei32.exe 30 PID 2076 wrote to memory of 2572 2076 Laplei32.exe 30 PID 2572 wrote to memory of 2648 2572 Lkhpnnej.exe 31 PID 2572 wrote to memory of 2648 2572 Lkhpnnej.exe 31 PID 2572 wrote to memory of 2648 2572 Lkhpnnej.exe 31 PID 2572 wrote to memory of 2648 2572 Lkhpnnej.exe 31 PID 2648 wrote to memory of 2544 2648 Lmgmjjdn.exe 32 PID 2648 wrote to memory of 2544 2648 Lmgmjjdn.exe 32 PID 2648 wrote to memory of 2544 2648 Lmgmjjdn.exe 32 PID 2648 wrote to memory of 2544 2648 Lmgmjjdn.exe 32 PID 2544 wrote to memory of 2376 2544 Ldqegd32.exe 33 PID 2544 wrote to memory of 2376 2544 Ldqegd32.exe 33 PID 2544 wrote to memory of 2376 2544 Ldqegd32.exe 33 PID 2544 wrote to memory of 2376 2544 Ldqegd32.exe 33 PID 2376 wrote to memory of 2920 2376 Lkkmdn32.exe 34 PID 2376 wrote to memory of 2920 2376 Lkkmdn32.exe 34 PID 2376 wrote to memory of 2920 2376 Lkkmdn32.exe 34 PID 2376 wrote to memory of 2920 2376 Lkkmdn32.exe 34 PID 2920 wrote to memory of 304 2920 Lpgele32.exe 35 PID 2920 wrote to memory of 304 2920 Lpgele32.exe 35 PID 2920 wrote to memory of 304 2920 Lpgele32.exe 35 PID 2920 wrote to memory of 304 2920 Lpgele32.exe 35 PID 304 wrote to memory of 1328 304 Lbfahp32.exe 36 PID 304 wrote to memory of 1328 304 Lbfahp32.exe 36 PID 304 wrote to memory of 1328 304 Lbfahp32.exe 36 PID 304 wrote to memory of 1328 304 Lbfahp32.exe 36 PID 1328 wrote to memory of 1868 1328 Lmkfei32.exe 37 PID 1328 wrote to memory of 1868 1328 Lmkfei32.exe 37 PID 1328 wrote to memory of 1868 1328 Lmkfei32.exe 37 PID 1328 wrote to memory of 1868 1328 Lmkfei32.exe 37 PID 1868 wrote to memory of 1864 1868 Lpjbad32.exe 38 PID 1868 wrote to memory of 1864 1868 Lpjbad32.exe 38 PID 1868 wrote to memory of 1864 1868 Lpjbad32.exe 38 PID 1868 wrote to memory of 1864 1868 Lpjbad32.exe 38 PID 1864 wrote to memory of 1844 1864 Lefkjkmc.exe 39 PID 1864 wrote to memory of 1844 1864 Lefkjkmc.exe 39 PID 1864 wrote to memory of 1844 1864 Lefkjkmc.exe 39 PID 1864 wrote to memory of 1844 1864 Lefkjkmc.exe 39 PID 1844 wrote to memory of 1840 1844 Llqcfe32.exe 40 PID 1844 wrote to memory of 1840 1844 Llqcfe32.exe 40 PID 1844 wrote to memory of 1840 1844 Llqcfe32.exe 40 PID 1844 wrote to memory of 1840 1844 Llqcfe32.exe 40 PID 1840 wrote to memory of 1380 1840 Mgfgdn32.exe 41 PID 1840 wrote to memory of 1380 1840 Mgfgdn32.exe 41 PID 1840 wrote to memory of 1380 1840 Mgfgdn32.exe 41 PID 1840 wrote to memory of 1380 1840 Mgfgdn32.exe 41 PID 1380 wrote to memory of 2696 1380 Mhgclfje.exe 42 PID 1380 wrote to memory of 2696 1380 Mhgclfje.exe 42 PID 1380 wrote to memory of 2696 1380 Mhgclfje.exe 42 PID 1380 wrote to memory of 2696 1380 Mhgclfje.exe 42 PID 2696 wrote to memory of 2032 2696 Maphdl32.exe 43 PID 2696 wrote to memory of 2032 2696 Maphdl32.exe 43 PID 2696 wrote to memory of 2032 2696 Maphdl32.exe 43 PID 2696 wrote to memory of 2032 2696 Maphdl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe34⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe35⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe37⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe39⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe44⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe46⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe47⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe48⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe51⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe52⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe55⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe58⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe60⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe66⤵PID:2624
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe67⤵PID:2120
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe70⤵PID:444
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe72⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe73⤵PID:2052
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe74⤵PID:2560
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe75⤵PID:2016
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe76⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe77⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe79⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe80⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe81⤵PID:2316
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:796 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe84⤵PID:1640
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe85⤵PID:1528
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe86⤵
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe87⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe89⤵PID:2788
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe90⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe91⤵PID:2640
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe92⤵PID:2644
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe94⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe95⤵PID:2280
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe96⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe97⤵PID:2824
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe98⤵PID:2116
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe99⤵PID:532
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe100⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe102⤵PID:2968
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe104⤵PID:1464
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe107⤵PID:2476
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe109⤵PID:2668
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe111⤵PID:2708
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe113⤵PID:2240
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe114⤵PID:2012
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe115⤵PID:760
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe116⤵PID:1240
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe117⤵PID:2172
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe118⤵PID:2504
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe119⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe120⤵PID:1724
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-