Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 12:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
-
Size
464KB
-
MD5
315c6b95b9b034bde36b257a44544910
-
SHA1
febac56767aa538696615331941853ea5ef32ca4
-
SHA256
b0d32547afd235ceab445a7ce105bb0391eef1e5060b2098bfdb75f8007354cd
-
SHA512
4cd6dff12c4da5f87bdedc9779f70b76067433a332eeb625a4547739b481631edd75947b584151c64189319108bd2c438c7d69aa248b90579737d327c9e432fa
-
SSDEEP
12288:LxotTiah2kkkkK4kXkkkkkkkkl888888888888888888nusG:Rah2kkkkK4kXkkkkkkkkK
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbqabkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabejlob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnefdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdaoog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgcgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jonplmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciifc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2140 Ifmlpigj.exe 1780 Jebiaelb.exe 2668 Jaiiff32.exe 2600 Jjanolhg.exe 2492 Jgenhp32.exe 2472 Jpqclb32.exe 2944 Kappfeln.exe 2696 Kikdkh32.exe 2712 Kfoedl32.exe 2900 Knjiin32.exe 2876 Kpjfba32.exe 2704 Kibjkgca.exe 1704 Kdlkld32.exe 540 Lmdpejfq.exe 1444 Lpeifeca.exe 852 Lmiipi32.exe 2188 Lipjejgp.exe 2088 Llnfaffc.exe 1280 Lchnnp32.exe 276 Lmnbkinf.exe 2860 Lplogdmj.exe 2076 Mgfgdn32.exe 2176 Mlcple32.exe 2388 Mpolmdkg.exe 884 Maphdl32.exe 2412 Mlelaeqk.exe 2548 Mabejlob.exe 2560 Mdqafgnf.exe 2752 Mofecpnl.exe 2592 Madapkmp.exe 2852 Mkmfhacp.exe 2500 Mohbip32.exe 2520 Magnek32.exe 2132 Mgcgmb32.exe 2916 Naikkk32.exe 2568 Nplkfgoe.exe 2180 Nnplpl32.exe 2904 Npnhlg32.exe 808 Nfkpdn32.exe 1696 Nnbhek32.exe 328 Nleiqhcg.exe 652 Njiijlbp.exe 112 Nhlifi32.exe 1144 Nbdnoo32.exe 1492 Njkfpl32.exe 1016 Nohnhc32.exe 2280 Nbfjdn32.exe 1976 Ofbfdmeb.exe 1884 Ohqbqhde.exe 2212 Oojknblb.exe 1732 Ofdcjm32.exe 2840 Odgcfijj.exe 2348 Ogfpbeim.exe 2656 Ogfpbeim.exe 2740 Onphoo32.exe 2524 Oiellh32.exe 2948 Oghlgdgk.exe 2648 Obnqem32.exe 2644 Oelmai32.exe 944 Ocomlemo.exe 2872 Ondajnme.exe 1788 Oqcnfjli.exe 952 Oqcnfjli.exe 1004 Oenifh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 2140 Ifmlpigj.exe 2140 Ifmlpigj.exe 1780 Jebiaelb.exe 1780 Jebiaelb.exe 2668 Jaiiff32.exe 2668 Jaiiff32.exe 2600 Jjanolhg.exe 2600 Jjanolhg.exe 2492 Jgenhp32.exe 2492 Jgenhp32.exe 2472 Jpqclb32.exe 2472 Jpqclb32.exe 2944 Kappfeln.exe 2944 Kappfeln.exe 2696 Kikdkh32.exe 2696 Kikdkh32.exe 2712 Kfoedl32.exe 2712 Kfoedl32.exe 2900 Knjiin32.exe 2900 Knjiin32.exe 2876 Kpjfba32.exe 2876 Kpjfba32.exe 2704 Kibjkgca.exe 2704 Kibjkgca.exe 1704 Kdlkld32.exe 1704 Kdlkld32.exe 540 Lmdpejfq.exe 540 Lmdpejfq.exe 1444 Lpeifeca.exe 1444 Lpeifeca.exe 852 Lmiipi32.exe 852 Lmiipi32.exe 2188 Lipjejgp.exe 2188 Lipjejgp.exe 2088 Llnfaffc.exe 2088 Llnfaffc.exe 1280 Lchnnp32.exe 1280 Lchnnp32.exe 276 Lmnbkinf.exe 276 Lmnbkinf.exe 2860 Lplogdmj.exe 2860 Lplogdmj.exe 2076 Mgfgdn32.exe 2076 Mgfgdn32.exe 2176 Mlcple32.exe 2176 Mlcple32.exe 2388 Mpolmdkg.exe 2388 Mpolmdkg.exe 884 Maphdl32.exe 884 Maphdl32.exe 2412 Mlelaeqk.exe 2412 Mlelaeqk.exe 2548 Mabejlob.exe 2548 Mabejlob.exe 2560 Mdqafgnf.exe 2560 Mdqafgnf.exe 2752 Mofecpnl.exe 2752 Mofecpnl.exe 2592 Madapkmp.exe 2592 Madapkmp.exe 2852 Mkmfhacp.exe 2852 Mkmfhacp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fmcqoe32.dll Pbkpna32.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Inljnfkg.exe File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Djklnnaj.exe File created C:\Windows\SysWOW64\Endhhp32.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Naikkk32.exe File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe Bnbjopoi.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Elmigj32.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Glaoalkh.exe File created C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Bqdgkecq.dll Lollckbk.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Obojhlbq.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Alnqqd32.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nohnhc32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Lchnnp32.exe File opened for modification C:\Windows\SysWOW64\Lplogdmj.exe Lmnbkinf.exe File created C:\Windows\SysWOW64\Nfkpdn32.exe Npnhlg32.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bkodhe32.exe File opened for modification C:\Windows\SysWOW64\Ckffgg32.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Ecqqpgli.exe Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File created C:\Windows\SysWOW64\Ckafbbph.exe Cgejac32.exe File created C:\Windows\SysWOW64\Dojald32.exe Dlkepi32.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Ffbicfoc.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Baildokg.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Oacima32.dll Mihiih32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Albjlcao.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Jhnaid32.dll Qjknnbed.exe File created C:\Windows\SysWOW64\Eiehea32.dll Inqcif32.exe File created C:\Windows\SysWOW64\Kemejc32.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Mgcgmb32.exe Magnek32.exe File created C:\Windows\SysWOW64\Cciemedf.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Ihhpqggo.dll 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cckace32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fddmgjpo.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Oqkqkdne.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cdgneh32.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Ecejkf32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Nnbhek32.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Fmhheqje.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5308 5268 WerFault.exe 518 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpeifeca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Pmdjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdamlbjc.dll" Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbgan32.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Behnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cciemedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnpqjl.dll" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alegac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebfbaj.dll" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldepab.dll" Obojhlbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Piblek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kappfeln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnlnhop.dll" Elmigj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqcnfjli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejpca32.dll" Idklfpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phccmbca.dll" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqhenocn.dll" Kpjfba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdalhhc.dll" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geofbffe.dll" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpolmdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojahnj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2140 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2140 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2140 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 2140 1688 315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe 28 PID 2140 wrote to memory of 1780 2140 Ifmlpigj.exe 29 PID 2140 wrote to memory of 1780 2140 Ifmlpigj.exe 29 PID 2140 wrote to memory of 1780 2140 Ifmlpigj.exe 29 PID 2140 wrote to memory of 1780 2140 Ifmlpigj.exe 29 PID 1780 wrote to memory of 2668 1780 Jebiaelb.exe 30 PID 1780 wrote to memory of 2668 1780 Jebiaelb.exe 30 PID 1780 wrote to memory of 2668 1780 Jebiaelb.exe 30 PID 1780 wrote to memory of 2668 1780 Jebiaelb.exe 30 PID 2668 wrote to memory of 2600 2668 Jaiiff32.exe 31 PID 2668 wrote to memory of 2600 2668 Jaiiff32.exe 31 PID 2668 wrote to memory of 2600 2668 Jaiiff32.exe 31 PID 2668 wrote to memory of 2600 2668 Jaiiff32.exe 31 PID 2600 wrote to memory of 2492 2600 Jjanolhg.exe 32 PID 2600 wrote to memory of 2492 2600 Jjanolhg.exe 32 PID 2600 wrote to memory of 2492 2600 Jjanolhg.exe 32 PID 2600 wrote to memory of 2492 2600 Jjanolhg.exe 32 PID 2492 wrote to memory of 2472 2492 Jgenhp32.exe 33 PID 2492 wrote to memory of 2472 2492 Jgenhp32.exe 33 PID 2492 wrote to memory of 2472 2492 Jgenhp32.exe 33 PID 2492 wrote to memory of 2472 2492 Jgenhp32.exe 33 PID 2472 wrote to memory of 2944 2472 Jpqclb32.exe 34 PID 2472 wrote to memory of 2944 2472 Jpqclb32.exe 34 PID 2472 wrote to memory of 2944 2472 Jpqclb32.exe 34 PID 2472 wrote to memory of 2944 2472 Jpqclb32.exe 34 PID 2944 wrote to memory of 2696 2944 Kappfeln.exe 35 PID 2944 wrote to memory of 2696 2944 Kappfeln.exe 35 PID 2944 wrote to memory of 2696 2944 Kappfeln.exe 35 PID 2944 wrote to memory of 2696 2944 Kappfeln.exe 35 PID 2696 wrote to memory of 2712 2696 Kikdkh32.exe 36 PID 2696 wrote to memory of 2712 2696 Kikdkh32.exe 36 PID 2696 wrote to memory of 2712 2696 Kikdkh32.exe 36 PID 2696 wrote to memory of 2712 2696 Kikdkh32.exe 36 PID 2712 wrote to memory of 2900 2712 Kfoedl32.exe 37 PID 2712 wrote to memory of 2900 2712 Kfoedl32.exe 37 PID 2712 wrote to memory of 2900 2712 Kfoedl32.exe 37 PID 2712 wrote to memory of 2900 2712 Kfoedl32.exe 37 PID 2900 wrote to memory of 2876 2900 Knjiin32.exe 38 PID 2900 wrote to memory of 2876 2900 Knjiin32.exe 38 PID 2900 wrote to memory of 2876 2900 Knjiin32.exe 38 PID 2900 wrote to memory of 2876 2900 Knjiin32.exe 38 PID 2876 wrote to memory of 2704 2876 Kpjfba32.exe 39 PID 2876 wrote to memory of 2704 2876 Kpjfba32.exe 39 PID 2876 wrote to memory of 2704 2876 Kpjfba32.exe 39 PID 2876 wrote to memory of 2704 2876 Kpjfba32.exe 39 PID 2704 wrote to memory of 1704 2704 Kibjkgca.exe 40 PID 2704 wrote to memory of 1704 2704 Kibjkgca.exe 40 PID 2704 wrote to memory of 1704 2704 Kibjkgca.exe 40 PID 2704 wrote to memory of 1704 2704 Kibjkgca.exe 40 PID 1704 wrote to memory of 540 1704 Kdlkld32.exe 41 PID 1704 wrote to memory of 540 1704 Kdlkld32.exe 41 PID 1704 wrote to memory of 540 1704 Kdlkld32.exe 41 PID 1704 wrote to memory of 540 1704 Kdlkld32.exe 41 PID 540 wrote to memory of 1444 540 Lmdpejfq.exe 42 PID 540 wrote to memory of 1444 540 Lmdpejfq.exe 42 PID 540 wrote to memory of 1444 540 Lmdpejfq.exe 42 PID 540 wrote to memory of 1444 540 Lmdpejfq.exe 42 PID 1444 wrote to memory of 852 1444 Lpeifeca.exe 43 PID 1444 wrote to memory of 852 1444 Lpeifeca.exe 43 PID 1444 wrote to memory of 852 1444 Lpeifeca.exe 43 PID 1444 wrote to memory of 852 1444 Lpeifeca.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe33⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe37⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe38⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe41⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe42⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe43⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe44⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe45⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe48⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe49⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe51⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe52⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe53⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe54⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe57⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe59⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe60⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe61⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe62⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe64⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe66⤵
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe67⤵PID:2448
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe68⤵PID:1992
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe69⤵PID:1816
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe72⤵PID:2220
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe75⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe78⤵PID:2788
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe79⤵PID:3052
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe80⤵PID:956
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe81⤵PID:1020
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe82⤵PID:2428
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe83⤵PID:2276
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe84⤵PID:1964
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe85⤵PID:1312
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe86⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe87⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe88⤵PID:2744
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe89⤵PID:2980
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe90⤵PID:2764
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe91⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe92⤵PID:2692
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe94⤵PID:2932
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe95⤵PID:1700
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe96⤵PID:3008
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe97⤵PID:576
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe99⤵PID:960
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe101⤵PID:980
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe102⤵PID:2748
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe104⤵PID:2024
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe105⤵PID:2172
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe107⤵PID:472
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe108⤵PID:2796
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe109⤵PID:1436
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe110⤵
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe111⤵PID:1708
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe112⤵PID:2004
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe115⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe116⤵PID:1856
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe117⤵PID:1744
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe118⤵PID:3056
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe119⤵PID:2812
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe121⤵PID:1464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-