Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 22:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe
-
Size
111KB
-
MD5
44c10ab03f31b966b22aa368a93810e0
-
SHA1
5d26bb9bdff2e0945f186fc93bf1396e8189aa54
-
SHA256
003d72107e30de48d9ba420c7c9f2fe8b95a9f6843d1c570a4e077d8bc2fa982
-
SHA512
ab57fdd6d2d4b8627014accb99a160da967e7296b3deaf01baf1496fc9d92576b7cd169f7a4d3c1439f0fef07f8bb4cab3271078ce8aea85b3a78e5742e720b3
-
SSDEEP
3072:xWgeQXGDV6H4PssLYEeqw0v0wnJcefSXQHPTTAkvB5Ddj:jeQ2BS4UsLYfwtnJfKXqPTX7DB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lboiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgbcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kglcogeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdkgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnoiio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhjni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfgafadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poeipifl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfmafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkiefp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akkoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khkpijma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfhfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdbiji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knekla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbeoibb.exe -
Executes dropped EXE 64 IoCs
pid Process 2552 Annbhi32.exe 2720 Afiglkle.exe 2692 Abbeflpf.exe 1920 Bbdallnd.exe 2532 Bhdgjb32.exe 268 Boplllob.exe 568 Bmeimhdj.exe 1276 Cfnmfn32.exe 2972 Cklfll32.exe 2788 Cbgjqo32.exe 2672 Clalod32.exe 1896 Cielhh32.exe 2760 Dkiefp32.exe 608 Dgpfkakd.exe 2304 Dgbcpq32.exe 1188 Djclbl32.exe 2116 Ejehgkdp.exe 1124 Ehjehh32.exe 1476 Ecpjfq32.exe 1824 Edccch32.exe 1160 Ekpheb32.exe 740 Fkbdkb32.exe 964 Fqomci32.exe 2920 Fqajihle.exe 860 Fgkbeb32.exe 872 Fmhjni32.exe 2600 Gmmdiind.exe 1600 Gcglec32.exe 2624 Gehhmkko.exe 2052 Gpnmjd32.exe 2500 Ghkndf32.exe 2456 Gnefapmj.exe 1708 Geoonjeg.exe 704 Gjlgfaco.exe 564 Hddlof32.exe 2820 Hmmphlpp.exe 2744 Hajinjff.exe 2752 Hfgafadm.exe 1408 Hbnbkbja.exe 816 Iaonhm32.exe 1528 Jliohkak.exe 1104 Jnhlbn32.exe 2312 Jfcqgpfi.exe 1964 Jcgapdeb.exe 2916 Jjaimn32.exe 1044 Jonbee32.exe 1944 Jfhjbobc.exe 968 Jlbboiip.exe 596 Kbokgpgg.exe 932 Kglcogeo.exe 2352 Knekla32.exe 1664 Khkpijma.exe 2940 Kkileele.exe 2560 Kbcdbp32.exe 1716 Kdbpnk32.exe 2576 Knjegqif.exe 2444 Kqiaclhj.exe 880 Kgbipf32.exe 2836 Knmamp32.exe 2796 Kcijeg32.exe 1144 Lfhfab32.exe 928 Lopkjhko.exe 1016 Lbogfcjc.exe 1376 Ljfogake.exe -
Loads dropped DLL 64 IoCs
pid Process 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 2552 Annbhi32.exe 2552 Annbhi32.exe 2720 Afiglkle.exe 2720 Afiglkle.exe 2692 Abbeflpf.exe 2692 Abbeflpf.exe 1920 Bbdallnd.exe 1920 Bbdallnd.exe 2532 Bhdgjb32.exe 2532 Bhdgjb32.exe 268 Boplllob.exe 268 Boplllob.exe 568 Bmeimhdj.exe 568 Bmeimhdj.exe 1276 Cfnmfn32.exe 1276 Cfnmfn32.exe 2972 Cklfll32.exe 2972 Cklfll32.exe 2788 Cbgjqo32.exe 2788 Cbgjqo32.exe 2672 Clalod32.exe 2672 Clalod32.exe 1896 Cielhh32.exe 1896 Cielhh32.exe 2760 Dkiefp32.exe 2760 Dkiefp32.exe 608 Dgpfkakd.exe 608 Dgpfkakd.exe 2304 Dgbcpq32.exe 2304 Dgbcpq32.exe 1188 Djclbl32.exe 1188 Djclbl32.exe 2116 Ejehgkdp.exe 2116 Ejehgkdp.exe 1124 Ehjehh32.exe 1124 Ehjehh32.exe 1476 Ecpjfq32.exe 1476 Ecpjfq32.exe 1824 Edccch32.exe 1824 Edccch32.exe 1160 Ekpheb32.exe 1160 Ekpheb32.exe 740 Fkbdkb32.exe 740 Fkbdkb32.exe 964 Fqomci32.exe 964 Fqomci32.exe 2920 Fqajihle.exe 2920 Fqajihle.exe 860 Fgkbeb32.exe 860 Fgkbeb32.exe 872 Fmhjni32.exe 872 Fmhjni32.exe 2600 Gmmdiind.exe 2600 Gmmdiind.exe 1600 Gcglec32.exe 1600 Gcglec32.exe 2624 Gehhmkko.exe 2624 Gehhmkko.exe 2052 Gpnmjd32.exe 2052 Gpnmjd32.exe 2500 Ghkndf32.exe 2500 Ghkndf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kqiaclhj.exe Knjegqif.exe File created C:\Windows\SysWOW64\Dgbdoe32.dll Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Bkegah32.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jbhcim32.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Akcomepg.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Ciihklpj.exe File created C:\Windows\SysWOW64\Pdnndane.dll Hddlof32.exe File opened for modification C:\Windows\SysWOW64\Peanbblf.exe Plijimee.exe File created C:\Windows\SysWOW64\Jbpdeogo.exe Ielclkhe.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Jjdofm32.exe File created C:\Windows\SysWOW64\Lilfnc32.dll Lcomce32.exe File created C:\Windows\SysWOW64\Ghfmdj32.dll Poeipifl.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Kmimme32.dll Ffaaoh32.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ooahll32.dll Gghkdp32.exe File created C:\Windows\SysWOW64\Ahqmla32.dll Khoebi32.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Cielhh32.exe Clalod32.exe File opened for modification C:\Windows\SysWOW64\Hddlof32.exe Gjlgfaco.exe File created C:\Windows\SysWOW64\Cohibp32.dll Knmamp32.exe File created C:\Windows\SysWOW64\Jkdgkc32.dll Akhfoldn.exe File created C:\Windows\SysWOW64\Ndjhkqcb.dll Jniefm32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Kglcogeo.exe Kbokgpgg.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Fhgnge32.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Fkpjnkig.exe Enlidg32.exe File created C:\Windows\SysWOW64\Jbhcim32.exe Jpigma32.exe File created C:\Windows\SysWOW64\Deccjdkf.dll Fqajihle.exe File created C:\Windows\SysWOW64\Lbemfbdk.exe Lklejh32.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Pqkobqhd.exe File opened for modification C:\Windows\SysWOW64\Kbigpn32.exe Kkoncdcp.exe File opened for modification C:\Windows\SysWOW64\Nlcibc32.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Lnbnfb32.dll Qackpado.exe File created C:\Windows\SysWOW64\Nbdmji32.dll Jkhejkcq.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Oaghki32.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Gcglec32.exe Gmmdiind.exe File created C:\Windows\SysWOW64\Jliohkak.exe Iaonhm32.exe File created C:\Windows\SysWOW64\Gapfdgmi.dll Hegnahjo.exe File created C:\Windows\SysWOW64\Pfkhoe32.dll Bajqfq32.exe File opened for modification C:\Windows\SysWOW64\Giipab32.exe Gkephn32.exe File opened for modification C:\Windows\SysWOW64\Lbackc32.exe Ljfogake.exe File created C:\Windows\SysWOW64\Blhoaobk.dll Gcokiaji.exe File created C:\Windows\SysWOW64\Jphiff32.dll Imnbbi32.exe File created C:\Windows\SysWOW64\Kkoncdcp.exe Kfbfkmeh.exe File opened for modification C:\Windows\SysWOW64\Akcomepg.exe Aomnhd32.exe File created C:\Windows\SysWOW64\Kafbbbmg.dll Aidphq32.exe File opened for modification C:\Windows\SysWOW64\Jaoqqflp.exe Ihglhp32.exe File created C:\Windows\SysWOW64\Objaha32.exe Olpilg32.exe File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Elajgpmj.exe Dmmmfc32.exe File opened for modification C:\Windows\SysWOW64\Qmifhq32.exe Qjkjle32.exe File opened for modification C:\Windows\SysWOW64\Lklejh32.exe Lfolaang.exe File opened for modification C:\Windows\SysWOW64\Ogcnkgoh.exe Opifnm32.exe File created C:\Windows\SysWOW64\Knnpkl32.dll Ihbcmaje.exe File created C:\Windows\SysWOW64\Cdpkangm.dll Bdcifi32.exe File created C:\Windows\SysWOW64\Beackp32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Bjbeofpp.exe Bajqfq32.exe File created C:\Windows\SysWOW64\Difnaqih.exe Cpmjhk32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Lhfefgkg.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mclcijfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homdlljo.dll" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqmla32.dll" Khoebi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljomn32.dll" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffjig32.dll" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgfhpob.dll" Medeaaej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Kjokokha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdnpmb32.dll" Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdnild32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgkbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knekla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njhfcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgffkh32.dll" Dgbcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oehklddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjfkm32.dll" Lklejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npgihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ielclkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obidifcn.dll" Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bjpaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID Dpapaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfgpl32.dll" Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll" Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnphemi.dll" Lfhfab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecpjfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnhlbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkdiq32.dll" Gmmdiind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knekla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doknlmcm.dll" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deccjdkf.dll" Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgbcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ednbncmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qobbofgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2552 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2552 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2552 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2552 3036 44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe 28 PID 2552 wrote to memory of 2720 2552 Annbhi32.exe 29 PID 2552 wrote to memory of 2720 2552 Annbhi32.exe 29 PID 2552 wrote to memory of 2720 2552 Annbhi32.exe 29 PID 2552 wrote to memory of 2720 2552 Annbhi32.exe 29 PID 2720 wrote to memory of 2692 2720 Afiglkle.exe 30 PID 2720 wrote to memory of 2692 2720 Afiglkle.exe 30 PID 2720 wrote to memory of 2692 2720 Afiglkle.exe 30 PID 2720 wrote to memory of 2692 2720 Afiglkle.exe 30 PID 2692 wrote to memory of 1920 2692 Abbeflpf.exe 31 PID 2692 wrote to memory of 1920 2692 Abbeflpf.exe 31 PID 2692 wrote to memory of 1920 2692 Abbeflpf.exe 31 PID 2692 wrote to memory of 1920 2692 Abbeflpf.exe 31 PID 1920 wrote to memory of 2532 1920 Bbdallnd.exe 32 PID 1920 wrote to memory of 2532 1920 Bbdallnd.exe 32 PID 1920 wrote to memory of 2532 1920 Bbdallnd.exe 32 PID 1920 wrote to memory of 2532 1920 Bbdallnd.exe 32 PID 2532 wrote to memory of 268 2532 Bhdgjb32.exe 33 PID 2532 wrote to memory of 268 2532 Bhdgjb32.exe 33 PID 2532 wrote to memory of 268 2532 Bhdgjb32.exe 33 PID 2532 wrote to memory of 268 2532 Bhdgjb32.exe 33 PID 268 wrote to memory of 568 268 Boplllob.exe 34 PID 268 wrote to memory of 568 268 Boplllob.exe 34 PID 268 wrote to memory of 568 268 Boplllob.exe 34 PID 268 wrote to memory of 568 268 Boplllob.exe 34 PID 568 wrote to memory of 1276 568 Bmeimhdj.exe 35 PID 568 wrote to memory of 1276 568 Bmeimhdj.exe 35 PID 568 wrote to memory of 1276 568 Bmeimhdj.exe 35 PID 568 wrote to memory of 1276 568 Bmeimhdj.exe 35 PID 1276 wrote to memory of 2972 1276 Cfnmfn32.exe 36 PID 1276 wrote to memory of 2972 1276 Cfnmfn32.exe 36 PID 1276 wrote to memory of 2972 1276 Cfnmfn32.exe 36 PID 1276 wrote to memory of 2972 1276 Cfnmfn32.exe 36 PID 2972 wrote to memory of 2788 2972 Cklfll32.exe 37 PID 2972 wrote to memory of 2788 2972 Cklfll32.exe 37 PID 2972 wrote to memory of 2788 2972 Cklfll32.exe 37 PID 2972 wrote to memory of 2788 2972 Cklfll32.exe 37 PID 2788 wrote to memory of 2672 2788 Cbgjqo32.exe 38 PID 2788 wrote to memory of 2672 2788 Cbgjqo32.exe 38 PID 2788 wrote to memory of 2672 2788 Cbgjqo32.exe 38 PID 2788 wrote to memory of 2672 2788 Cbgjqo32.exe 38 PID 2672 wrote to memory of 1896 2672 Clalod32.exe 39 PID 2672 wrote to memory of 1896 2672 Clalod32.exe 39 PID 2672 wrote to memory of 1896 2672 Clalod32.exe 39 PID 2672 wrote to memory of 1896 2672 Clalod32.exe 39 PID 1896 wrote to memory of 2760 1896 Cielhh32.exe 40 PID 1896 wrote to memory of 2760 1896 Cielhh32.exe 40 PID 1896 wrote to memory of 2760 1896 Cielhh32.exe 40 PID 1896 wrote to memory of 2760 1896 Cielhh32.exe 40 PID 2760 wrote to memory of 608 2760 Dkiefp32.exe 41 PID 2760 wrote to memory of 608 2760 Dkiefp32.exe 41 PID 2760 wrote to memory of 608 2760 Dkiefp32.exe 41 PID 2760 wrote to memory of 608 2760 Dkiefp32.exe 41 PID 608 wrote to memory of 2304 608 Dgpfkakd.exe 42 PID 608 wrote to memory of 2304 608 Dgpfkakd.exe 42 PID 608 wrote to memory of 2304 608 Dgpfkakd.exe 42 PID 608 wrote to memory of 2304 608 Dgpfkakd.exe 42 PID 2304 wrote to memory of 1188 2304 Dgbcpq32.exe 43 PID 2304 wrote to memory of 1188 2304 Dgbcpq32.exe 43 PID 2304 wrote to memory of 1188 2304 Dgbcpq32.exe 43 PID 2304 wrote to memory of 1188 2304 Dgbcpq32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\44c10ab03f31b966b22aa368a93810e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe33⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe34⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe40⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe42⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe45⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe46⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe47⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe48⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe49⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe55⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe56⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe58⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe59⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe63⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe66⤵PID:2320
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe67⤵PID:1636
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe68⤵PID:2908
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe69⤵
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe71⤵PID:788
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe74⤵PID:1576
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe76⤵PID:2696
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe77⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe78⤵PID:2396
-
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe79⤵PID:2852
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe80⤵PID:2056
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe81⤵PID:2968
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe82⤵PID:1512
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe83⤵PID:2764
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe84⤵PID:1112
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe85⤵PID:2316
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe87⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe88⤵PID:1184
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe90⤵PID:588
-
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe91⤵PID:2008
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe92⤵PID:2016
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe93⤵PID:3040
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe94⤵PID:2896
-
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe95⤵PID:2568
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe99⤵PID:1468
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe100⤵PID:2608
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe101⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe102⤵PID:2296
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe104⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe105⤵PID:1840
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe106⤵PID:1064
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe107⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe108⤵PID:1612
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe109⤵PID:2888
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe110⤵PID:1620
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe111⤵PID:1728
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe112⤵PID:1208
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe114⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe115⤵PID:972
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe116⤵PID:2084
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe118⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe119⤵PID:3000
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe120⤵PID:1604
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe121⤵PID:924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-