Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 11:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe
Resource
win7-20240221-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe
-
Size
101KB
-
MD5
28f47c4bee4eb1855e3c9a1b09abf520
-
SHA1
b36bac3cd6a2da977d652c3ccad53413d2b0a58e
-
SHA256
a59a6fbcf2c94a6b58650f153977ecddfe6a38340e66f75381ffdcf5fe7c611c
-
SHA512
e7060ec1417b4a8b66d32584f4072e5804cbdff0205962244eec5cc4b77c0adcafa27311a30024f2ee7a5ec9f7963ee3ee0f46697c8249c33c5d0bdb8e2cbac9
-
SSDEEP
3072:21NM5BkWeTnJ4mGCCEczse353/zrB3g3k8p4qI4/HQCC:2oBXeTJVGCuRPBZs/HNC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjkiogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgdnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocjophem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obdojcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmpbopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmbqhif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejehgkdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmjcblbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgmeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbomfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epecbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2508 Kgkafo32.exe 2676 Kgnnln32.exe 2704 Kjljhjkl.exe 2600 Kcdnao32.exe 2412 Kgpjanje.exe 2992 Kjnfniii.exe 2388 Kahojc32.exe 2488 Kcfkfo32.exe 1584 Kjqccigf.exe 1896 Kiccofna.exe 2204 Kmopod32.exe 2876 Kcihlong.exe 1160 Kjcpii32.exe 2368 Lldlqakb.exe 2932 Lckdanld.exe 2936 Lfjqnjkh.exe 2132 Lihmjejl.exe 1792 Llfifq32.exe 2140 Loeebl32.exe 2148 Lijjoe32.exe 344 Lliflp32.exe 1556 Logbhl32.exe 548 Leajdfnm.exe 1872 Limfed32.exe 1644 Llkbap32.exe 1868 Lkncmmle.exe 2696 Lojomkdn.exe 2776 Ldfgebbe.exe 2568 Lollckbk.exe 1844 Monhhk32.exe 2536 Mamddf32.exe 2376 Mhgmapfi.exe 1620 Mkeimlfm.exe 2756 Mpbaebdd.exe 1132 Mdmmfa32.exe 996 Mkgfckcj.exe 1348 Mlibjc32.exe 2940 Mdpjlajk.exe 112 Mmhodf32.exe 2764 Mpfkqb32.exe 2236 Mgqcmlgl.exe 2092 Mpigfa32.exe 1472 Ncgdbmmp.exe 1324 Nefpnhlc.exe 856 Nlphkb32.exe 2976 Nondgn32.exe 1656 Nehmdhja.exe 2712 Ndkmpe32.exe 2664 Nlbeqb32.exe 2720 Nkeelohh.exe 2608 Nncahjgl.exe 1516 Ndmjedoi.exe 1688 Nglfapnl.exe 2672 Nkgbbo32.exe 1892 Nnennj32.exe 2576 Naajoinb.exe 2456 Ndpfkdmf.exe 2748 Nhkbkc32.exe 2028 Ngnbgplj.exe 1204 Nkiogn32.exe 588 Nnhkcj32.exe 2828 Npfgpe32.exe 2188 Nceclqan.exe 1564 Ngpolo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 2508 Kgkafo32.exe 2508 Kgkafo32.exe 2676 Kgnnln32.exe 2676 Kgnnln32.exe 2704 Kjljhjkl.exe 2704 Kjljhjkl.exe 2600 Kcdnao32.exe 2600 Kcdnao32.exe 2412 Kgpjanje.exe 2412 Kgpjanje.exe 2992 Kjnfniii.exe 2992 Kjnfniii.exe 2388 Kahojc32.exe 2388 Kahojc32.exe 2488 Kcfkfo32.exe 2488 Kcfkfo32.exe 1584 Kjqccigf.exe 1584 Kjqccigf.exe 1896 Kiccofna.exe 1896 Kiccofna.exe 2204 Kmopod32.exe 2204 Kmopod32.exe 2876 Kcihlong.exe 2876 Kcihlong.exe 1160 Kjcpii32.exe 1160 Kjcpii32.exe 2368 Lldlqakb.exe 2368 Lldlqakb.exe 2932 Lckdanld.exe 2932 Lckdanld.exe 2936 Lfjqnjkh.exe 2936 Lfjqnjkh.exe 2132 Lihmjejl.exe 2132 Lihmjejl.exe 1792 Llfifq32.exe 1792 Llfifq32.exe 2140 Loeebl32.exe 2140 Loeebl32.exe 2148 Lijjoe32.exe 2148 Lijjoe32.exe 344 Lliflp32.exe 344 Lliflp32.exe 1556 Logbhl32.exe 1556 Logbhl32.exe 548 Leajdfnm.exe 548 Leajdfnm.exe 1872 Limfed32.exe 1872 Limfed32.exe 1644 Llkbap32.exe 1644 Llkbap32.exe 1868 Lkncmmle.exe 1868 Lkncmmle.exe 2696 Lojomkdn.exe 2696 Lojomkdn.exe 2776 Ldfgebbe.exe 2776 Ldfgebbe.exe 2568 Lollckbk.exe 2568 Lollckbk.exe 1844 Monhhk32.exe 1844 Monhhk32.exe 2536 Mamddf32.exe 2536 Mamddf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bohnbn32.dll Knmhgf32.exe File opened for modification C:\Windows\SysWOW64\Dafmqb32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Gdchio32.dll Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Ehoocgeb.exe Edccch32.exe File created C:\Windows\SysWOW64\Ieeeljdp.dll Agljom32.exe File created C:\Windows\SysWOW64\Lbnooiab.dll Process not Found File created C:\Windows\SysWOW64\Gjchig32.dll Ajejgp32.exe File created C:\Windows\SysWOW64\Jaeafklf.exe Jkkija32.exe File created C:\Windows\SysWOW64\Fjegog32.exe Process not Found File created C:\Windows\SysWOW64\Hneeilgj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocgbji32.exe Opifnm32.exe File created C:\Windows\SysWOW64\Gmecmg32.exe Gfkkpmko.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Process not Found File created C:\Windows\SysWOW64\Nlqmmd32.exe Process not Found File created C:\Windows\SysWOW64\Aaddfb32.dll Process not Found File created C:\Windows\SysWOW64\Enbfpg32.dll Pklhlael.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fljafg32.exe File opened for modification C:\Windows\SysWOW64\Ljabkeaf.exe Lgbeoibb.exe File opened for modification C:\Windows\SysWOW64\Jlhhndno.exe Jenpajfb.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Process not Found File created C:\Windows\SysWOW64\Knlafm32.dll Okgnab32.exe File created C:\Windows\SysWOW64\Fanjadqp.dll Qlkdkd32.exe File created C:\Windows\SysWOW64\Mhapiheo.dll Bcgdom32.exe File opened for modification C:\Windows\SysWOW64\Jioopgef.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Chcloo32.exe File opened for modification C:\Windows\SysWOW64\Mpamde32.exe Mihdgkpp.exe File created C:\Windows\SysWOW64\Ifigco32.dll Process not Found File created C:\Windows\SysWOW64\Nmmnnh32.dll Process not Found File created C:\Windows\SysWOW64\Oeeikk32.dll Process not Found File created C:\Windows\SysWOW64\Pcfefmnk.exe Pqhijbog.exe File opened for modification C:\Windows\SysWOW64\Dhkiid32.exe Delmmigh.exe File opened for modification C:\Windows\SysWOW64\Kbdmeoob.exe Kofaicon.exe File opened for modification C:\Windows\SysWOW64\Bidlgdlk.exe Bbjdjjdn.exe File created C:\Windows\SysWOW64\Kfeoelgo.dll Cemjae32.exe File created C:\Windows\SysWOW64\Lhelbh32.exe Lqncaj32.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Jnpinc32.exe File created C:\Windows\SysWOW64\Jmiiak32.dll Gdboig32.exe File created C:\Windows\SysWOW64\Mccbmh32.exe Maefamlh.exe File opened for modification C:\Windows\SysWOW64\Ghcoqh32.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Aipddi32.exe File created C:\Windows\SysWOW64\Mjbappoe.dll Ehgbhbgn.exe File opened for modification C:\Windows\SysWOW64\Pgnjde32.exe Pcbncfjd.exe File created C:\Windows\SysWOW64\Imleli32.exe Ifampo32.exe File created C:\Windows\SysWOW64\Pgnjde32.exe Pcbncfjd.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Ecbfkpfk.exe Elhnof32.exe File created C:\Windows\SysWOW64\Jaipmp32.dll Gildahhp.exe File created C:\Windows\SysWOW64\Nmejllia.exe Ndmecgba.exe File opened for modification C:\Windows\SysWOW64\Fqalaa32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Process not Found File created C:\Windows\SysWOW64\Fqmmidel.dll Monhhk32.exe File opened for modification C:\Windows\SysWOW64\Gbomfe32.exe Gpqpjj32.exe File opened for modification C:\Windows\SysWOW64\Pndpajgd.exe Pkfceo32.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Hpphhp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Process not Found File created C:\Windows\SysWOW64\Hoamgd32.exe Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Fdiogq32.exe Process not Found File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File opened for modification C:\Windows\SysWOW64\Cpiqmlfm.exe Cmjdaqgi.exe File created C:\Windows\SysWOW64\Kemedbfd.dll Mdmmfa32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Eanenbmi.¾ll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbqbaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meffhnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll" Okanklik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kocikpkm.dll" Epgphcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnlcdfj.dll" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeeaobo.dll" Kmobhmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoepingi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgccq32.dll" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbefdnjd.dll" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbqqhdp.dll" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhkiid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bilmcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iianmb32.dll" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblqijln.dll" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dognqkje.dll" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjeanhe.dll" Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjeop32.dll" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacocpm.dll" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclelk32.dll" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqgle32.dll" Delmmigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eapfagno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpife32.dll" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2508 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 2508 2044 28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe 28 PID 2508 wrote to memory of 2676 2508 Kgkafo32.exe 29 PID 2508 wrote to memory of 2676 2508 Kgkafo32.exe 29 PID 2508 wrote to memory of 2676 2508 Kgkafo32.exe 29 PID 2508 wrote to memory of 2676 2508 Kgkafo32.exe 29 PID 2676 wrote to memory of 2704 2676 Kgnnln32.exe 30 PID 2676 wrote to memory of 2704 2676 Kgnnln32.exe 30 PID 2676 wrote to memory of 2704 2676 Kgnnln32.exe 30 PID 2676 wrote to memory of 2704 2676 Kgnnln32.exe 30 PID 2704 wrote to memory of 2600 2704 Kjljhjkl.exe 31 PID 2704 wrote to memory of 2600 2704 Kjljhjkl.exe 31 PID 2704 wrote to memory of 2600 2704 Kjljhjkl.exe 31 PID 2704 wrote to memory of 2600 2704 Kjljhjkl.exe 31 PID 2600 wrote to memory of 2412 2600 Kcdnao32.exe 32 PID 2600 wrote to memory of 2412 2600 Kcdnao32.exe 32 PID 2600 wrote to memory of 2412 2600 Kcdnao32.exe 32 PID 2600 wrote to memory of 2412 2600 Kcdnao32.exe 32 PID 2412 wrote to memory of 2992 2412 Kgpjanje.exe 33 PID 2412 wrote to memory of 2992 2412 Kgpjanje.exe 33 PID 2412 wrote to memory of 2992 2412 Kgpjanje.exe 33 PID 2412 wrote to memory of 2992 2412 Kgpjanje.exe 33 PID 2992 wrote to memory of 2388 2992 Kjnfniii.exe 34 PID 2992 wrote to memory of 2388 2992 Kjnfniii.exe 34 PID 2992 wrote to memory of 2388 2992 Kjnfniii.exe 34 PID 2992 wrote to memory of 2388 2992 Kjnfniii.exe 34 PID 2388 wrote to memory of 2488 2388 Kahojc32.exe 35 PID 2388 wrote to memory of 2488 2388 Kahojc32.exe 35 PID 2388 wrote to memory of 2488 2388 Kahojc32.exe 35 PID 2388 wrote to memory of 2488 2388 Kahojc32.exe 35 PID 2488 wrote to memory of 1584 2488 Kcfkfo32.exe 36 PID 2488 wrote to memory of 1584 2488 Kcfkfo32.exe 36 PID 2488 wrote to memory of 1584 2488 Kcfkfo32.exe 36 PID 2488 wrote to memory of 1584 2488 Kcfkfo32.exe 36 PID 1584 wrote to memory of 1896 1584 Kjqccigf.exe 37 PID 1584 wrote to memory of 1896 1584 Kjqccigf.exe 37 PID 1584 wrote to memory of 1896 1584 Kjqccigf.exe 37 PID 1584 wrote to memory of 1896 1584 Kjqccigf.exe 37 PID 1896 wrote to memory of 2204 1896 Kiccofna.exe 38 PID 1896 wrote to memory of 2204 1896 Kiccofna.exe 38 PID 1896 wrote to memory of 2204 1896 Kiccofna.exe 38 PID 1896 wrote to memory of 2204 1896 Kiccofna.exe 38 PID 2204 wrote to memory of 2876 2204 Kmopod32.exe 39 PID 2204 wrote to memory of 2876 2204 Kmopod32.exe 39 PID 2204 wrote to memory of 2876 2204 Kmopod32.exe 39 PID 2204 wrote to memory of 2876 2204 Kmopod32.exe 39 PID 2876 wrote to memory of 1160 2876 Kcihlong.exe 40 PID 2876 wrote to memory of 1160 2876 Kcihlong.exe 40 PID 2876 wrote to memory of 1160 2876 Kcihlong.exe 40 PID 2876 wrote to memory of 1160 2876 Kcihlong.exe 40 PID 1160 wrote to memory of 2368 1160 Kjcpii32.exe 41 PID 1160 wrote to memory of 2368 1160 Kjcpii32.exe 41 PID 1160 wrote to memory of 2368 1160 Kjcpii32.exe 41 PID 1160 wrote to memory of 2368 1160 Kjcpii32.exe 41 PID 2368 wrote to memory of 2932 2368 Lldlqakb.exe 42 PID 2368 wrote to memory of 2932 2368 Lldlqakb.exe 42 PID 2368 wrote to memory of 2932 2368 Lldlqakb.exe 42 PID 2368 wrote to memory of 2932 2368 Lldlqakb.exe 42 PID 2932 wrote to memory of 2936 2932 Lckdanld.exe 43 PID 2932 wrote to memory of 2936 2932 Lckdanld.exe 43 PID 2932 wrote to memory of 2936 2932 Lckdanld.exe 43 PID 2932 wrote to memory of 2936 2932 Lckdanld.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\28f47c4bee4eb1855e3c9a1b09abf520_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe33⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe37⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe38⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe39⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe40⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe41⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe42⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe43⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe44⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe45⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe46⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe48⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe49⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe50⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe51⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe52⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe53⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe54⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe58⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe59⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe60⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe61⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe62⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe63⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe64⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe65⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe66⤵PID:2300
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe67⤵PID:2548
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe68⤵PID:1484
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe69⤵PID:1144
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe70⤵PID:2620
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe71⤵PID:1552
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe72⤵PID:2432
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe73⤵PID:2780
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe74⤵PID:2888
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe75⤵PID:2084
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe76⤵PID:1884
-
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe77⤵PID:2928
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe78⤵PID:1288
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe79⤵PID:1848
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe80⤵
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe81⤵PID:1880
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe82⤵PID:2516
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe83⤵PID:2744
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe84⤵PID:1476
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe85⤵PID:2396
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe86⤵PID:1216
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe87⤵PID:2156
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe88⤵PID:1952
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1428 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe90⤵PID:1696
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe91⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe92⤵PID:2120
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe93⤵PID:1912
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe95⤵PID:900
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe96⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe97⤵PID:3052
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe98⤵PID:2624
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe99⤵PID:1480
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe100⤵PID:2824
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe101⤵PID:540
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe102⤵PID:2904
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe103⤵PID:2496
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe104⤵PID:2240
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe105⤵PID:1660
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe106⤵PID:2544
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe107⤵PID:2184
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe108⤵PID:2452
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe109⤵PID:2176
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe110⤵PID:1956
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe111⤵PID:2336
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe112⤵PID:2592
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe113⤵PID:2060
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe114⤵PID:2524
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe115⤵PID:2248
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe116⤵PID:2864
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe117⤵PID:1780
-
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe118⤵PID:2960
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe119⤵PID:2952
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe120⤵PID:1408
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe121⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe122⤵PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-