Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe
-
Size
256KB
-
MD5
0f43bfd243aaeba9bdfe093467b54920
-
SHA1
f9ba1848b330ed31a863aca7eae2e1a2cddab318
-
SHA256
033c0120f42fff5eb0812978cff423ae205ba1f4ad81a76130ba90afac891e26
-
SHA512
4e914d2e55235428cc61412327cdc7bfe139ad9dc3b7b0c6a085a494faa2e5796c6b560e318b62e06a9a9867ddabd7ec9b58bc609161f073345237edb874976e
-
SSDEEP
6144:5HMf/Z853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZj:56QBpnchWcZj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbbbffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpinc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbqabkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdllkhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe -
Executes dropped EXE 64 IoCs
pid Process 1064 Penfelgm.exe 2180 Qbbfopeg.exe 2908 Qljkhe32.exe 2648 Qmlgonbe.exe 2968 Ahakmf32.exe 1048 Amndem32.exe 2452 Ajbdna32.exe 3032 Apomfh32.exe 2756 Aigaon32.exe 2420 Abpfhcje.exe 1324 Amejeljk.exe 1756 Aepojo32.exe 1216 Bagpopmj.exe 2252 Blmdlhmp.exe 904 Bokphdld.exe 2404 Bdhhqk32.exe 1508 Begeknan.exe 1440 Bhfagipa.exe 1172 Bnbjopoi.exe 2044 Bpafkknm.exe 1312 Bdlblj32.exe 1320 Bjijdadm.exe 844 Bpcbqk32.exe 1604 Cgmkmecg.exe 1732 Cjlgiqbk.exe 2052 Cpeofk32.exe 2636 Ccdlbf32.exe 2440 Cfbhnaho.exe 2564 Cnippoha.exe 2456 Cphlljge.exe 2668 Ccfhhffh.exe 2752 Cfeddafl.exe 2608 Cjpqdp32.exe 1204 Clomqk32.exe 1160 Comimg32.exe 2784 Cciemedf.exe 1656 Cbkeib32.exe 2256 Cjbmjplb.exe 2528 Chemfl32.exe 600 Ckdjbh32.exe 1044 Copfbfjj.exe 1492 Cckace32.exe 1088 Cbnbobin.exe 280 Cfinoq32.exe 2840 Chhjkl32.exe 760 Ckffgg32.exe 1720 Cobbhfhg.exe 2008 Cndbcc32.exe 2540 Dflkdp32.exe 2712 Ddokpmfo.exe 2460 Dhjgal32.exe 2448 Dgmglh32.exe 1900 Dodonf32.exe 2156 Dbbkja32.exe 1924 Dbbkja32.exe 2304 Dqelenlc.exe 2744 Dhmcfkme.exe 1184 Dgodbh32.exe 2056 Djnpnc32.exe 1768 Dnilobkm.exe 2060 Dbehoa32.exe 808 Dqhhknjp.exe 1908 Ddcdkl32.exe 980 Dcfdgiid.exe -
Loads dropped DLL 64 IoCs
pid Process 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 1064 Penfelgm.exe 1064 Penfelgm.exe 2180 Qbbfopeg.exe 2180 Qbbfopeg.exe 2908 Qljkhe32.exe 2908 Qljkhe32.exe 2648 Qmlgonbe.exe 2648 Qmlgonbe.exe 2968 Ahakmf32.exe 2968 Ahakmf32.exe 1048 Amndem32.exe 1048 Amndem32.exe 2452 Ajbdna32.exe 2452 Ajbdna32.exe 3032 Apomfh32.exe 3032 Apomfh32.exe 2756 Aigaon32.exe 2756 Aigaon32.exe 2420 Abpfhcje.exe 2420 Abpfhcje.exe 1324 Amejeljk.exe 1324 Amejeljk.exe 1756 Aepojo32.exe 1756 Aepojo32.exe 1216 Bagpopmj.exe 1216 Bagpopmj.exe 2252 Blmdlhmp.exe 2252 Blmdlhmp.exe 904 Bokphdld.exe 904 Bokphdld.exe 2404 Bdhhqk32.exe 2404 Bdhhqk32.exe 1508 Begeknan.exe 1508 Begeknan.exe 1440 Bhfagipa.exe 1440 Bhfagipa.exe 1172 Bnbjopoi.exe 1172 Bnbjopoi.exe 2044 Bpafkknm.exe 2044 Bpafkknm.exe 1312 Bdlblj32.exe 1312 Bdlblj32.exe 1320 Bjijdadm.exe 1320 Bjijdadm.exe 844 Bpcbqk32.exe 844 Bpcbqk32.exe 1604 Cgmkmecg.exe 1604 Cgmkmecg.exe 1732 Cjlgiqbk.exe 1732 Cjlgiqbk.exe 2052 Cpeofk32.exe 2052 Cpeofk32.exe 2636 Ccdlbf32.exe 2636 Ccdlbf32.exe 2440 Cfbhnaho.exe 2440 Cfbhnaho.exe 2564 Cnippoha.exe 2564 Cnippoha.exe 2456 Cphlljge.exe 2456 Cphlljge.exe 2668 Ccfhhffh.exe 2668 Ccfhhffh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mieeibkn.exe Meijhc32.exe File created C:\Windows\SysWOW64\Cbnbobin.exe Cckace32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Mhfkbo32.dll Hacmcfge.exe File opened for modification C:\Windows\SysWOW64\Fljafg32.exe Fikejl32.exe File created C:\Windows\SysWOW64\Dempblao.dll Inifnq32.exe File opened for modification C:\Windows\SysWOW64\Liplnc32.exe Ljmlbfhi.exe File opened for modification C:\Windows\SysWOW64\Ncmfqkdj.exe Ndjfeo32.exe File created C:\Windows\SysWOW64\Qbcpbo32.exe Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Bdpoifde.dll Jmplcp32.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Dhffckeo.dll Mholen32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File created C:\Windows\SysWOW64\Kklemhne.dll Jjlnif32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Leajdfnm.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Cclkfdnc.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Leimip32.exe Knpemf32.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File created C:\Windows\SysWOW64\Bohnbn32.dll Kbidgeci.exe File opened for modification C:\Windows\SysWOW64\Ghfbqn32.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Fpqdkf32.exe Fmbhok32.exe File opened for modification C:\Windows\SysWOW64\Papnde32.dll Kicmdo32.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Oqmmpd32.exe File created C:\Windows\SysWOW64\Lfmffhde.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Ndhipoob.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Gfobbc32.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Akbipbbd.dll Jmbiipml.exe File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe Mieeibkn.exe File opened for modification C:\Windows\SysWOW64\Mapjmehi.exe Mbmjah32.exe File created C:\Windows\SysWOW64\Cckace32.exe Copfbfjj.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Keanebkb.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Qfgkcdoe.dll Jfnnha32.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File created C:\Windows\SysWOW64\Iigpciig.dll Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Iooklook.dll Amhpnkch.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dolnad32.exe File created C:\Windows\SysWOW64\Jhgnia32.dll Ejobhppq.exe File created C:\Windows\SysWOW64\Illgimph.exe Inifnq32.exe File created C:\Windows\SysWOW64\Ikbifehk.dll Bokphdld.exe File created C:\Windows\SysWOW64\Hdnaeh32.dll Kaaijdgn.exe File created C:\Windows\SysWOW64\Kahojc32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bbokmqie.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Fikejl32.exe Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Meppiblm.exe Maedhd32.exe File opened for modification C:\Windows\SysWOW64\Ngfflj32.exe Nckjkl32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File opened for modification C:\Windows\SysWOW64\Cckace32.exe Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Ffpmnf32.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hhjhkq32.exe File created C:\Windows\SysWOW64\Jpfdhnai.dll Jhngjmlo.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hicodd32.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mpbaebdd.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Enakbp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8164 8128 WerFault.exe 766 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphhenhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenobfak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Dhmcfkme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll" Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenobfak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfijnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" Lclnemgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncahjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgbdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbidgeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgjcijfp.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemacb32.dll" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doqplo32.dll" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jehkodcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglfapnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kklpekno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1064 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 28 PID 1972 wrote to memory of 1064 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 28 PID 1972 wrote to memory of 1064 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 28 PID 1972 wrote to memory of 1064 1972 0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe 28 PID 1064 wrote to memory of 2180 1064 Penfelgm.exe 29 PID 1064 wrote to memory of 2180 1064 Penfelgm.exe 29 PID 1064 wrote to memory of 2180 1064 Penfelgm.exe 29 PID 1064 wrote to memory of 2180 1064 Penfelgm.exe 29 PID 2180 wrote to memory of 2908 2180 Qbbfopeg.exe 30 PID 2180 wrote to memory of 2908 2180 Qbbfopeg.exe 30 PID 2180 wrote to memory of 2908 2180 Qbbfopeg.exe 30 PID 2180 wrote to memory of 2908 2180 Qbbfopeg.exe 30 PID 2908 wrote to memory of 2648 2908 Qljkhe32.exe 31 PID 2908 wrote to memory of 2648 2908 Qljkhe32.exe 31 PID 2908 wrote to memory of 2648 2908 Qljkhe32.exe 31 PID 2908 wrote to memory of 2648 2908 Qljkhe32.exe 31 PID 2648 wrote to memory of 2968 2648 Qmlgonbe.exe 32 PID 2648 wrote to memory of 2968 2648 Qmlgonbe.exe 32 PID 2648 wrote to memory of 2968 2648 Qmlgonbe.exe 32 PID 2648 wrote to memory of 2968 2648 Qmlgonbe.exe 32 PID 2968 wrote to memory of 1048 2968 Ahakmf32.exe 33 PID 2968 wrote to memory of 1048 2968 Ahakmf32.exe 33 PID 2968 wrote to memory of 1048 2968 Ahakmf32.exe 33 PID 2968 wrote to memory of 1048 2968 Ahakmf32.exe 33 PID 1048 wrote to memory of 2452 1048 Amndem32.exe 34 PID 1048 wrote to memory of 2452 1048 Amndem32.exe 34 PID 1048 wrote to memory of 2452 1048 Amndem32.exe 34 PID 1048 wrote to memory of 2452 1048 Amndem32.exe 34 PID 2452 wrote to memory of 3032 2452 Ajbdna32.exe 35 PID 2452 wrote to memory of 3032 2452 Ajbdna32.exe 35 PID 2452 wrote to memory of 3032 2452 Ajbdna32.exe 35 PID 2452 wrote to memory of 3032 2452 Ajbdna32.exe 35 PID 3032 wrote to memory of 2756 3032 Apomfh32.exe 36 PID 3032 wrote to memory of 2756 3032 Apomfh32.exe 36 PID 3032 wrote to memory of 2756 3032 Apomfh32.exe 36 PID 3032 wrote to memory of 2756 3032 Apomfh32.exe 36 PID 2756 wrote to memory of 2420 2756 Aigaon32.exe 37 PID 2756 wrote to memory of 2420 2756 Aigaon32.exe 37 PID 2756 wrote to memory of 2420 2756 Aigaon32.exe 37 PID 2756 wrote to memory of 2420 2756 Aigaon32.exe 37 PID 2420 wrote to memory of 1324 2420 Abpfhcje.exe 38 PID 2420 wrote to memory of 1324 2420 Abpfhcje.exe 38 PID 2420 wrote to memory of 1324 2420 Abpfhcje.exe 38 PID 2420 wrote to memory of 1324 2420 Abpfhcje.exe 38 PID 1324 wrote to memory of 1756 1324 Amejeljk.exe 39 PID 1324 wrote to memory of 1756 1324 Amejeljk.exe 39 PID 1324 wrote to memory of 1756 1324 Amejeljk.exe 39 PID 1324 wrote to memory of 1756 1324 Amejeljk.exe 39 PID 1756 wrote to memory of 1216 1756 Aepojo32.exe 40 PID 1756 wrote to memory of 1216 1756 Aepojo32.exe 40 PID 1756 wrote to memory of 1216 1756 Aepojo32.exe 40 PID 1756 wrote to memory of 1216 1756 Aepojo32.exe 40 PID 1216 wrote to memory of 2252 1216 Bagpopmj.exe 41 PID 1216 wrote to memory of 2252 1216 Bagpopmj.exe 41 PID 1216 wrote to memory of 2252 1216 Bagpopmj.exe 41 PID 1216 wrote to memory of 2252 1216 Bagpopmj.exe 41 PID 2252 wrote to memory of 904 2252 Blmdlhmp.exe 42 PID 2252 wrote to memory of 904 2252 Blmdlhmp.exe 42 PID 2252 wrote to memory of 904 2252 Blmdlhmp.exe 42 PID 2252 wrote to memory of 904 2252 Blmdlhmp.exe 42 PID 904 wrote to memory of 2404 904 Bokphdld.exe 43 PID 904 wrote to memory of 2404 904 Bokphdld.exe 43 PID 904 wrote to memory of 2404 904 Bokphdld.exe 43 PID 904 wrote to memory of 2404 904 Bokphdld.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0f43bfd243aaeba9bdfe093467b54920_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe33⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe34⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe37⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe39⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe41⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe44⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe45⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe46⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe47⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe48⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe49⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe50⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe51⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe53⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe54⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe55⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe56⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe57⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe59⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe61⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe62⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe63⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe64⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe65⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe66⤵PID:1872
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe67⤵PID:1708
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe68⤵PID:1552
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe69⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe70⤵PID:1752
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe71⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe72⤵PID:2764
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe73⤵PID:2428
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe74⤵PID:1140
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe75⤵PID:2164
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe76⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe77⤵PID:2408
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe79⤵PID:1664
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe80⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe81⤵PID:2092
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe82⤵PID:1076
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe84⤵PID:1304
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe85⤵PID:1124
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe86⤵PID:1060
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe87⤵PID:1536
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe88⤵
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe89⤵PID:1112
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe90⤵PID:2176
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe91⤵PID:2524
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe92⤵PID:1556
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe93⤵PID:2696
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe94⤵PID:888
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe95⤵PID:2788
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe97⤵PID:2512
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe98⤵PID:2296
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe99⤵PID:2208
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe100⤵PID:2436
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe101⤵PID:1788
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe102⤵PID:452
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe103⤵PID:1512
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe104⤵PID:3004
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe107⤵PID:2516
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe109⤵PID:2600
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe110⤵PID:2964
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe111⤵PID:2692
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe112⤵PID:2812
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe113⤵PID:2736
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe114⤵PID:2760
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe115⤵PID:1584
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe116⤵PID:584
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe118⤵PID:1444
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe119⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe120⤵PID:2196
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-