Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 14:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe
-
Size
192KB
-
MD5
1d70145d42309d7c6bad65536d589ba0
-
SHA1
3e576729706523d83776f8db1612230bf0defff1
-
SHA256
0915da7aa4fff04d71d96a5b40b8f3f451bd6c26de630c95332b8bf7d8e85ff2
-
SHA512
eba645ea4ea5826b9d08a04de99745bfffea1782b91d159507601589c6eb6343b804551dd79e3387fdb378359b40af019a24ecf1f5523bc176d65a68d4715e19
-
SSDEEP
3072:RdR8oUcr930QISS5ir4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrR:btxr9kJfirBOHhkym/89b0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qijdocfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gedbdlbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajbne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbplbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pckoam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkhnle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neplhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghcoqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbnoliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giieco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdkao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigchgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Gicbeald.exe 3040 Gangic32.exe 2908 Gkgkbipp.exe 2636 Ghkllmoi.exe 2684 Goddhg32.exe 2560 Ggpimica.exe 2484 Gphmeo32.exe 2752 Hmlnoc32.exe 2400 Hkpnhgge.exe 2008 Hnojdcfi.exe 1448 Hnagjbdf.exe 1868 Hjhhocjj.exe 1632 Hpapln32.exe 1508 Hhmepp32.exe 864 Ilknfn32.exe 3036 Ioijbj32.exe 568 Ikpjgkjq.exe 108 Ihdkao32.exe 2300 Ikbgmj32.exe 996 Idklfpon.exe 1676 Igihbknb.exe 1844 Idmhkpml.exe 1016 Igkdgk32.exe 2044 Jofiln32.exe 2148 Jcbellac.exe 1756 Joifam32.exe 2040 Jbgbni32.exe 1596 Jfekcg32.exe 2660 Jicgpb32.exe 2816 Jbllihbf.exe 2832 Jifdebic.exe 2540 Kemejc32.exe 2812 Kgkafo32.exe 2976 Kjjmbj32.exe 1200 Kcbakpdo.exe 2860 Keanebkb.exe 1292 Kgpjanje.exe 1984 Kcfkfo32.exe 1324 Kfegbj32.exe 2748 Kpmlkp32.exe 348 Kjcpii32.exe 1680 Lemaif32.exe 2088 Llfifq32.exe 3052 Loeebl32.exe 2356 Lhmjkaoc.exe 448 Lpdbloof.exe 2328 Lafndg32.exe 1352 Lhpfqama.exe 2100 Lkncmmle.exe 1164 Lahkigca.exe 2896 Ldfgebbe.exe 1700 Llnofpcg.exe 860 Lollckbk.exe 2992 Lmolnh32.exe 3044 Lefdpe32.exe 2800 Mggpgmof.exe 3048 Mmahdggc.exe 2692 Mdkqqa32.exe 2980 Mkeimlfm.exe 1956 Mihiih32.exe 2836 Maoajf32.exe 1032 Mbpnanch.exe 2252 Mijfnh32.exe 2576 Mlibjc32.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 2236 Gicbeald.exe 2236 Gicbeald.exe 3040 Gangic32.exe 3040 Gangic32.exe 2908 Gkgkbipp.exe 2908 Gkgkbipp.exe 2636 Ghkllmoi.exe 2636 Ghkllmoi.exe 2684 Goddhg32.exe 2684 Goddhg32.exe 2560 Ggpimica.exe 2560 Ggpimica.exe 2484 Gphmeo32.exe 2484 Gphmeo32.exe 2752 Hmlnoc32.exe 2752 Hmlnoc32.exe 2400 Hkpnhgge.exe 2400 Hkpnhgge.exe 2008 Hnojdcfi.exe 2008 Hnojdcfi.exe 1448 Hnagjbdf.exe 1448 Hnagjbdf.exe 1868 Hjhhocjj.exe 1868 Hjhhocjj.exe 1632 Hpapln32.exe 1632 Hpapln32.exe 1508 Hhmepp32.exe 1508 Hhmepp32.exe 864 Ilknfn32.exe 864 Ilknfn32.exe 3036 Ioijbj32.exe 3036 Ioijbj32.exe 568 Ikpjgkjq.exe 568 Ikpjgkjq.exe 108 Ihdkao32.exe 108 Ihdkao32.exe 2300 Ikbgmj32.exe 2300 Ikbgmj32.exe 996 Idklfpon.exe 996 Idklfpon.exe 1676 Igihbknb.exe 1676 Igihbknb.exe 1844 Idmhkpml.exe 1844 Idmhkpml.exe 1016 Igkdgk32.exe 1016 Igkdgk32.exe 2044 Jofiln32.exe 2044 Jofiln32.exe 2148 Jcbellac.exe 2148 Jcbellac.exe 1756 Joifam32.exe 1756 Joifam32.exe 2040 Jbgbni32.exe 2040 Jbgbni32.exe 1596 Jfekcg32.exe 1596 Jfekcg32.exe 2660 Jicgpb32.exe 2660 Jicgpb32.exe 2816 Jbllihbf.exe 2816 Jbllihbf.exe 2832 Jifdebic.exe 2832 Jifdebic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hkaglf32.exe Hlngpjlj.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Ilqpdm32.exe File created C:\Windows\SysWOW64\Aalpaf32.dll Pgbafl32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File opened for modification C:\Windows\SysWOW64\Dlkepi32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Acpdko32.exe Alhmjbhj.exe File created C:\Windows\SysWOW64\Biafnecn.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Chbjffad.exe File created C:\Windows\SysWOW64\Inegme32.dll Eibbcm32.exe File created C:\Windows\SysWOW64\Kpmlkp32.exe Kfegbj32.exe File created C:\Windows\SysWOW64\Bkkepg32.dll Fnkjhb32.exe File created C:\Windows\SysWOW64\Gbaileio.exe Glgaok32.exe File opened for modification C:\Windows\SysWOW64\Hpefdl32.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe Gangic32.exe File created C:\Windows\SysWOW64\Jicgpb32.exe Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Ffklhqao.exe Fncdgcqm.exe File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Ljhcccai.dll Abeemhkh.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oqideepg.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Baakhm32.exe Bocolb32.exe File created C:\Windows\SysWOW64\Gakcimgf.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Fibmmd32.dll Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Iamimc32.exe File created C:\Windows\SysWOW64\Niikceid.exe Nenobfak.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jnkpbcjg.exe File created C:\Windows\SysWOW64\Hojgbclk.dll Ahdaee32.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Cadhnmnm.exe File opened for modification C:\Windows\SysWOW64\Dndlim32.exe Djhphncm.exe File created C:\Windows\SysWOW64\Jmianb32.dll Gfjhgdck.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Nenobfak.exe File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe Ojigbhlp.exe File created C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Pkndaa32.exe Pgbhabjp.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Imklkg32.dll Bfkpqn32.exe File created C:\Windows\SysWOW64\Ipgljgoi.dll Pdaheq32.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File created C:\Windows\SysWOW64\Jhgnia32.dll Efcfga32.exe File opened for modification C:\Windows\SysWOW64\Oohqqlei.exe Nhohda32.exe File created C:\Windows\SysWOW64\Pmccjbaf.exe Pihgic32.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Maoajf32.exe File created C:\Windows\SysWOW64\Mmjale32.dll Egllae32.exe File opened for modification C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File created C:\Windows\SysWOW64\Eeieql32.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Aniimjbo.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aemkjiem.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Ikhjki32.exe Ihjnom32.exe File created C:\Windows\SysWOW64\Lcojjmea.exe Leljop32.exe File created C:\Windows\SysWOW64\Pmlmic32.exe Pjnamh32.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Apoooa32.exe File created C:\Windows\SysWOW64\Lahkigca.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Nblihc32.dll Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File created C:\Windows\SysWOW64\Aaebnq32.dll Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Npccpo32.exe Niikceid.exe File created C:\Windows\SysWOW64\Ojigbhlp.exe Ohhkjp32.exe File created C:\Windows\SysWOW64\Pdpfph32.dll Hhmepp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5324 5284 WerFault.exe 506 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gicbeald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbgbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmlpbdc.dll" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhdknh.dll" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjfjbdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll" Pgbafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcenlceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgmdjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qiladcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdmddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcmjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdcpnkh.dll" Fhqbkhch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llfifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flgeqgog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljffag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbplbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgphd32.dll" Flgeqgog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2236 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 28 PID 3016 wrote to memory of 2236 3016 1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 3040 2236 Gicbeald.exe 29 PID 2236 wrote to memory of 3040 2236 Gicbeald.exe 29 PID 2236 wrote to memory of 3040 2236 Gicbeald.exe 29 PID 2236 wrote to memory of 3040 2236 Gicbeald.exe 29 PID 3040 wrote to memory of 2908 3040 Gangic32.exe 30 PID 3040 wrote to memory of 2908 3040 Gangic32.exe 30 PID 3040 wrote to memory of 2908 3040 Gangic32.exe 30 PID 3040 wrote to memory of 2908 3040 Gangic32.exe 30 PID 2908 wrote to memory of 2636 2908 Gkgkbipp.exe 31 PID 2908 wrote to memory of 2636 2908 Gkgkbipp.exe 31 PID 2908 wrote to memory of 2636 2908 Gkgkbipp.exe 31 PID 2908 wrote to memory of 2636 2908 Gkgkbipp.exe 31 PID 2636 wrote to memory of 2684 2636 Ghkllmoi.exe 32 PID 2636 wrote to memory of 2684 2636 Ghkllmoi.exe 32 PID 2636 wrote to memory of 2684 2636 Ghkllmoi.exe 32 PID 2636 wrote to memory of 2684 2636 Ghkllmoi.exe 32 PID 2684 wrote to memory of 2560 2684 Goddhg32.exe 33 PID 2684 wrote to memory of 2560 2684 Goddhg32.exe 33 PID 2684 wrote to memory of 2560 2684 Goddhg32.exe 33 PID 2684 wrote to memory of 2560 2684 Goddhg32.exe 33 PID 2560 wrote to memory of 2484 2560 Ggpimica.exe 34 PID 2560 wrote to memory of 2484 2560 Ggpimica.exe 34 PID 2560 wrote to memory of 2484 2560 Ggpimica.exe 34 PID 2560 wrote to memory of 2484 2560 Ggpimica.exe 34 PID 2484 wrote to memory of 2752 2484 Gphmeo32.exe 35 PID 2484 wrote to memory of 2752 2484 Gphmeo32.exe 35 PID 2484 wrote to memory of 2752 2484 Gphmeo32.exe 35 PID 2484 wrote to memory of 2752 2484 Gphmeo32.exe 35 PID 2752 wrote to memory of 2400 2752 Hmlnoc32.exe 36 PID 2752 wrote to memory of 2400 2752 Hmlnoc32.exe 36 PID 2752 wrote to memory of 2400 2752 Hmlnoc32.exe 36 PID 2752 wrote to memory of 2400 2752 Hmlnoc32.exe 36 PID 2400 wrote to memory of 2008 2400 Hkpnhgge.exe 37 PID 2400 wrote to memory of 2008 2400 Hkpnhgge.exe 37 PID 2400 wrote to memory of 2008 2400 Hkpnhgge.exe 37 PID 2400 wrote to memory of 2008 2400 Hkpnhgge.exe 37 PID 2008 wrote to memory of 1448 2008 Hnojdcfi.exe 38 PID 2008 wrote to memory of 1448 2008 Hnojdcfi.exe 38 PID 2008 wrote to memory of 1448 2008 Hnojdcfi.exe 38 PID 2008 wrote to memory of 1448 2008 Hnojdcfi.exe 38 PID 1448 wrote to memory of 1868 1448 Hnagjbdf.exe 39 PID 1448 wrote to memory of 1868 1448 Hnagjbdf.exe 39 PID 1448 wrote to memory of 1868 1448 Hnagjbdf.exe 39 PID 1448 wrote to memory of 1868 1448 Hnagjbdf.exe 39 PID 1868 wrote to memory of 1632 1868 Hjhhocjj.exe 40 PID 1868 wrote to memory of 1632 1868 Hjhhocjj.exe 40 PID 1868 wrote to memory of 1632 1868 Hjhhocjj.exe 40 PID 1868 wrote to memory of 1632 1868 Hjhhocjj.exe 40 PID 1632 wrote to memory of 1508 1632 Hpapln32.exe 41 PID 1632 wrote to memory of 1508 1632 Hpapln32.exe 41 PID 1632 wrote to memory of 1508 1632 Hpapln32.exe 41 PID 1632 wrote to memory of 1508 1632 Hpapln32.exe 41 PID 1508 wrote to memory of 864 1508 Hhmepp32.exe 42 PID 1508 wrote to memory of 864 1508 Hhmepp32.exe 42 PID 1508 wrote to memory of 864 1508 Hhmepp32.exe 42 PID 1508 wrote to memory of 864 1508 Hhmepp32.exe 42 PID 864 wrote to memory of 3036 864 Ilknfn32.exe 43 PID 864 wrote to memory of 3036 864 Ilknfn32.exe 43 PID 864 wrote to memory of 3036 864 Ilknfn32.exe 43 PID 864 wrote to memory of 3036 864 Ilknfn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d70145d42309d7c6bad65536d589ba0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe38⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe39⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe41⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe42⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe43⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe45⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe48⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe49⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe51⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe53⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe54⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe56⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe58⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe59⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe60⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe63⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe64⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe66⤵PID:1056
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe67⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe68⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe69⤵PID:648
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe70⤵PID:1092
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe71⤵PID:1792
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe72⤵PID:1888
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe74⤵PID:2092
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe75⤵PID:2032
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe76⤵PID:2380
-
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe77⤵PID:2648
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe78⤵PID:2776
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe79⤵PID:2596
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe80⤵PID:1972
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe81⤵PID:1980
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe82⤵PID:1728
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe83⤵PID:328
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe84⤵PID:1752
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe85⤵PID:1340
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe87⤵PID:1272
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe88⤵PID:1268
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe90⤵PID:2936
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe91⤵PID:2112
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe92⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe94⤵PID:2672
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe95⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe96⤵PID:2548
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe98⤵PID:316
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe99⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe100⤵
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe101⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe103⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe104⤵PID:2472
-
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe105⤵PID:1544
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe106⤵PID:1608
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe108⤵PID:1712
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe110⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe111⤵PID:2724
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe112⤵PID:2708
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe113⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe114⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe115⤵PID:336
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe116⤵PID:1876
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe117⤵PID:2392
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe118⤵PID:916
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe119⤵PID:2120
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe120⤵PID:1568
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe121⤵
- Modifies registry class
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-