Analysis
-
max time kernel
139s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 09:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe
-
Size
226KB
-
MD5
bb665597afe6110c5897289d52eeea60
-
SHA1
27d512c4cab0ed7fa0615959f3c0eafe38d2c293
-
SHA256
f8bb36b4e4b2dd705112c17197c7408cfc4d6fcda05697d18e56f482e8ddf590
-
SHA512
ac6f397d5e1686d403a0b48a22217dc5a681e072e331a9ab48ffe7675895a0e254bb314f5c47bbdf9afd6aef2508a3ad3b90e17190687beb582992f48149b37d
-
SSDEEP
3072:Ux+qP067CDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:vE7bxEtQtsEtb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chcqpmep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llqcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjknnbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplkfgoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odegpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqapjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe -
Executes dropped EXE 64 IoCs
pid Process 3052 Kfaajlfp.exe 2960 Khcnad32.exe 2720 Kpjfba32.exe 2696 Komfnnck.exe 2504 Kbhbom32.exe 2484 Kegnkh32.exe 3032 Khekgc32.exe 1724 Klqfhbbe.exe 2452 Keikqhhe.exe 1852 Lkfciogm.exe 2388 Lhjdbcef.exe 2772 Lkhpnnej.exe 1544 Ldqegd32.exe 884 Lpgele32.exe 2760 Lbfahp32.exe 2996 Lkmjin32.exe 588 Lipjejgp.exe 852 Lmkfei32.exe 2184 Lpjbad32.exe 2176 Ldenbcge.exe 1560 Lgdjnofi.exe 612 Lefkjkmc.exe 1828 Lmnbkinf.exe 688 Llqcfe32.exe 1680 Lplogdmj.exe 2928 Mgfgdn32.exe 2668 Moalhq32.exe 2692 Mlelaeqk.exe 2584 Mochnppo.exe 2664 Mlgigdoh.exe 2992 Mkjica32.exe 2708 Mnieom32.exe 2880 Madapkmp.exe 1464 Mhnjle32.exe 1984 Mkmfhacp.exe 1532 Mnkbdlbd.exe 2080 Magnek32.exe 2824 Mdejaf32.exe 2064 Mgcgmb32.exe 1824 Njbcim32.exe 2764 Nnnojlpa.exe 2408 Nplkfgoe.exe 1572 Ngfcca32.exe 2272 Nlblkhei.exe 2832 Ndjdlffl.exe 2340 Nghphaeo.exe 1740 Njgldmdc.exe 400 Nqqdag32.exe 2500 Ncoamb32.exe 2520 Nfmmin32.exe 1296 Nlgefh32.exe 1704 Nqcagfim.exe 1576 Nofabc32.exe 1668 Nfpjomgd.exe 2492 Nfpjomgd.exe 2376 Njkfpl32.exe 2348 Nmjblg32.exe 1864 Nohnhc32.exe 1640 Nbfjdn32.exe 1712 Ofbfdmeb.exe 1772 Odegpj32.exe 1556 Okoomd32.exe 1636 Oojknblb.exe 964 Obigjnkf.exe -
Loads dropped DLL 64 IoCs
pid Process 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 3052 Kfaajlfp.exe 3052 Kfaajlfp.exe 2960 Khcnad32.exe 2960 Khcnad32.exe 2720 Kpjfba32.exe 2720 Kpjfba32.exe 2696 Komfnnck.exe 2696 Komfnnck.exe 2504 Kbhbom32.exe 2504 Kbhbom32.exe 2484 Kegnkh32.exe 2484 Kegnkh32.exe 3032 Khekgc32.exe 3032 Khekgc32.exe 1724 Klqfhbbe.exe 1724 Klqfhbbe.exe 2452 Keikqhhe.exe 2452 Keikqhhe.exe 1852 Lkfciogm.exe 1852 Lkfciogm.exe 2388 Lhjdbcef.exe 2388 Lhjdbcef.exe 2772 Lkhpnnej.exe 2772 Lkhpnnej.exe 1544 Ldqegd32.exe 1544 Ldqegd32.exe 884 Lpgele32.exe 884 Lpgele32.exe 2760 Lbfahp32.exe 2760 Lbfahp32.exe 2996 Lkmjin32.exe 2996 Lkmjin32.exe 588 Lipjejgp.exe 588 Lipjejgp.exe 852 Lmkfei32.exe 852 Lmkfei32.exe 2184 Lpjbad32.exe 2184 Lpjbad32.exe 2176 Ldenbcge.exe 2176 Ldenbcge.exe 1560 Lgdjnofi.exe 1560 Lgdjnofi.exe 612 Lefkjkmc.exe 612 Lefkjkmc.exe 1828 Lmnbkinf.exe 1828 Lmnbkinf.exe 688 Llqcfe32.exe 688 Llqcfe32.exe 1680 Lplogdmj.exe 1680 Lplogdmj.exe 2928 Mgfgdn32.exe 2928 Mgfgdn32.exe 2668 Moalhq32.exe 2668 Moalhq32.exe 2692 Mlelaeqk.exe 2692 Mlelaeqk.exe 2584 Mochnppo.exe 2584 Mochnppo.exe 2664 Mlgigdoh.exe 2664 Mlgigdoh.exe 2992 Mkjica32.exe 2992 Mkjica32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnnajckm.dll Ongnonkb.exe File created C:\Windows\SysWOW64\Pgobhcac.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Jkamkfgh.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Inljnfkg.exe File created C:\Windows\SysWOW64\Eliele32.dll Madapkmp.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fnbkddem.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Pigeqkai.exe Pfiidobe.exe File created C:\Windows\SysWOW64\Pndaof32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Gkddnkjk.dll Ambmpmln.exe File created C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Efppoc32.exe Efppoc32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Ennaieib.exe File created C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Jqckbobk.dll Lmkfei32.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Kpjfba32.exe Khcnad32.exe File created C:\Windows\SysWOW64\Cbolpc32.dll Dodonf32.exe File created C:\Windows\SysWOW64\Naeqjnho.dll Dnlidb32.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eeempocb.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Ocajbekl.exe Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ondajnme.exe File created C:\Windows\SysWOW64\Pafagk32.dll Dqlafm32.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Moalhq32.exe File created C:\Windows\SysWOW64\Boiccdnf.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Dkmmhf32.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fioija32.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Icbimi32.exe File created C:\Windows\SysWOW64\Qljkhe32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Gfegkapd.dll Pchpbded.exe File created C:\Windows\SysWOW64\Dhekfh32.dll Ampqjm32.exe File created C:\Windows\SysWOW64\Bebkpn32.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Dqjepm32.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Ldenbcge.exe Lpjbad32.exe File created C:\Windows\SysWOW64\Aljkjq32.dll Ngfcca32.exe File opened for modification C:\Windows\SysWOW64\Chemfl32.exe Cjbmjplb.exe File opened for modification C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Enkece32.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Hafakdgi.dll Mhnjle32.exe File created C:\Windows\SysWOW64\Cqmnhocj.dll Fmcoja32.exe File opened for modification C:\Windows\SysWOW64\Magnek32.exe Mnkbdlbd.exe File created C:\Windows\SysWOW64\Njgpdbgm.dll Nfmmin32.exe File created C:\Windows\SysWOW64\Nfpjomgd.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File opened for modification C:\Windows\SysWOW64\Chcqpmep.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Mgcgmb32.exe Mdejaf32.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hodpgjha.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Pchpbded.exe Pmnhfjmg.exe File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Elgpfqll.dll Qeqbkkej.exe -
Program crash 1 IoCs
pid pid_target Process 4996 5040 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklefg32.dll" Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfbhnaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhcmgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocomlemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejoiedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjgej32.dll" Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pabjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhllhfdh.dll" Njbcim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flabbihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgcddkm.dll" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll" Dgodbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijcpoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplpai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphcda32.dll" Kpjfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggbcg32.dll" Ogjimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljgfioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffihah32.dll" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Ocomlemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknecn32.dll" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhpoo32.dll" Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Ppoqge32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3052 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 28 PID 2948 wrote to memory of 3052 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 28 PID 2948 wrote to memory of 3052 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 28 PID 2948 wrote to memory of 3052 2948 bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe 28 PID 3052 wrote to memory of 2960 3052 Kfaajlfp.exe 29 PID 3052 wrote to memory of 2960 3052 Kfaajlfp.exe 29 PID 3052 wrote to memory of 2960 3052 Kfaajlfp.exe 29 PID 3052 wrote to memory of 2960 3052 Kfaajlfp.exe 29 PID 2960 wrote to memory of 2720 2960 Khcnad32.exe 30 PID 2960 wrote to memory of 2720 2960 Khcnad32.exe 30 PID 2960 wrote to memory of 2720 2960 Khcnad32.exe 30 PID 2960 wrote to memory of 2720 2960 Khcnad32.exe 30 PID 2720 wrote to memory of 2696 2720 Kpjfba32.exe 31 PID 2720 wrote to memory of 2696 2720 Kpjfba32.exe 31 PID 2720 wrote to memory of 2696 2720 Kpjfba32.exe 31 PID 2720 wrote to memory of 2696 2720 Kpjfba32.exe 31 PID 2696 wrote to memory of 2504 2696 Komfnnck.exe 32 PID 2696 wrote to memory of 2504 2696 Komfnnck.exe 32 PID 2696 wrote to memory of 2504 2696 Komfnnck.exe 32 PID 2696 wrote to memory of 2504 2696 Komfnnck.exe 32 PID 2504 wrote to memory of 2484 2504 Kbhbom32.exe 33 PID 2504 wrote to memory of 2484 2504 Kbhbom32.exe 33 PID 2504 wrote to memory of 2484 2504 Kbhbom32.exe 33 PID 2504 wrote to memory of 2484 2504 Kbhbom32.exe 33 PID 2484 wrote to memory of 3032 2484 Kegnkh32.exe 34 PID 2484 wrote to memory of 3032 2484 Kegnkh32.exe 34 PID 2484 wrote to memory of 3032 2484 Kegnkh32.exe 34 PID 2484 wrote to memory of 3032 2484 Kegnkh32.exe 34 PID 3032 wrote to memory of 1724 3032 Khekgc32.exe 35 PID 3032 wrote to memory of 1724 3032 Khekgc32.exe 35 PID 3032 wrote to memory of 1724 3032 Khekgc32.exe 35 PID 3032 wrote to memory of 1724 3032 Khekgc32.exe 35 PID 1724 wrote to memory of 2452 1724 Klqfhbbe.exe 36 PID 1724 wrote to memory of 2452 1724 Klqfhbbe.exe 36 PID 1724 wrote to memory of 2452 1724 Klqfhbbe.exe 36 PID 1724 wrote to memory of 2452 1724 Klqfhbbe.exe 36 PID 2452 wrote to memory of 1852 2452 Keikqhhe.exe 37 PID 2452 wrote to memory of 1852 2452 Keikqhhe.exe 37 PID 2452 wrote to memory of 1852 2452 Keikqhhe.exe 37 PID 2452 wrote to memory of 1852 2452 Keikqhhe.exe 37 PID 1852 wrote to memory of 2388 1852 Lkfciogm.exe 38 PID 1852 wrote to memory of 2388 1852 Lkfciogm.exe 38 PID 1852 wrote to memory of 2388 1852 Lkfciogm.exe 38 PID 1852 wrote to memory of 2388 1852 Lkfciogm.exe 38 PID 2388 wrote to memory of 2772 2388 Lhjdbcef.exe 39 PID 2388 wrote to memory of 2772 2388 Lhjdbcef.exe 39 PID 2388 wrote to memory of 2772 2388 Lhjdbcef.exe 39 PID 2388 wrote to memory of 2772 2388 Lhjdbcef.exe 39 PID 2772 wrote to memory of 1544 2772 Lkhpnnej.exe 40 PID 2772 wrote to memory of 1544 2772 Lkhpnnej.exe 40 PID 2772 wrote to memory of 1544 2772 Lkhpnnej.exe 40 PID 2772 wrote to memory of 1544 2772 Lkhpnnej.exe 40 PID 1544 wrote to memory of 884 1544 Ldqegd32.exe 41 PID 1544 wrote to memory of 884 1544 Ldqegd32.exe 41 PID 1544 wrote to memory of 884 1544 Ldqegd32.exe 41 PID 1544 wrote to memory of 884 1544 Ldqegd32.exe 41 PID 884 wrote to memory of 2760 884 Lpgele32.exe 42 PID 884 wrote to memory of 2760 884 Lpgele32.exe 42 PID 884 wrote to memory of 2760 884 Lpgele32.exe 42 PID 884 wrote to memory of 2760 884 Lpgele32.exe 42 PID 2760 wrote to memory of 2996 2760 Lbfahp32.exe 43 PID 2760 wrote to memory of 2996 2760 Lbfahp32.exe 43 PID 2760 wrote to memory of 2996 2760 Lbfahp32.exe 43 PID 2760 wrote to memory of 2996 2760 Lbfahp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bb665597afe6110c5897289d52eeea60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe36⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe38⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe42⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe45⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe46⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe47⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe50⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe52⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe53⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe54⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe57⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe58⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe59⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe60⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe61⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe63⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe64⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe65⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe66⤵PID:1808
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe68⤵PID:1208
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe69⤵PID:2932
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe70⤵PID:2208
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe71⤵PID:1832
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe72⤵PID:1716
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe73⤵
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe74⤵PID:2420
-
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe76⤵PID:1452
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe78⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe79⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe80⤵PID:1860
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe82⤵
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe83⤵PID:1720
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe84⤵PID:1400
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe85⤵PID:2596
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe87⤵PID:1420
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe88⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe89⤵PID:1708
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe90⤵PID:1632
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe91⤵PID:2848
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe92⤵PID:1972
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:664 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe95⤵PID:1348
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe96⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe97⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe98⤵PID:2580
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe99⤵PID:2680
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe100⤵PID:2216
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe101⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe102⤵PID:2300
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe103⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe105⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe106⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe107⤵PID:1988
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe108⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe109⤵PID:3060
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe110⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe112⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe113⤵PID:2240
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe114⤵PID:1040
-
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe116⤵PID:360
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe117⤵PID:3028
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe118⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe119⤵PID:2352
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe121⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-