Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe
-
Size
97KB
-
MD5
068e0c70195a7fb9959f06e1859fb1d0
-
SHA1
b7d71242456b81a30f69ce043562a6ced905dd06
-
SHA256
df5b262551d65802881ac63f187782787e04184e5a41c8f72b0b77bbdff0ec6d
-
SHA512
b587cbf3c952f84e10065bd6485aa23fbbeec66ba931d35f1944927da136857e22bd27ad4cabbb9328688b5cb3c028c0cf39fb35aa8d62e52f0b0de91843aae0
-
SSDEEP
1536:rP2AayIoWGhfTTJPDQr0vRtSV9Z/KvJXeYZ6:7PQoWGhfT1p0H/aJXeK6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqbgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldenbcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkdonic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnafd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikggbpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqalka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkqkdne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfmmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjiin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocpado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnbkddem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchpbded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfgmhd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2372 Hnandi32.exe 1420 Hgjbmoob.exe 2600 Hndkji32.exe 2584 Hqbgfd32.exe 2476 Hhioga32.exe 2512 Hkhkcm32.exe 1196 Hnfgphdl.exe 2960 Hbbcpg32.exe 2520 Hdpplb32.exe 1576 Hgolhn32.exe 1308 Hkjhimcf.exe 2800 Inhdehbj.exe 2784 Imkdqe32.exe 2924 Icemmopa.exe 2052 Igainn32.exe 324 Ijoeji32.exe 1436 Imnafd32.exe 2548 Iqimgc32.exe 2744 Iolmbpfe.exe 448 Ichico32.exe 3068 Igcecmfg.exe 1792 Iffeoj32.exe 1132 Ijaapifk.exe 1204 Iidbke32.exe 704 Iqljlb32.exe 1692 Icjfhn32.exe 2352 Ijdnehci.exe 2972 Ikekmq32.exe 2808 Iclcnnji.exe 2712 Ibocjk32.exe 2752 Ifkojiim.exe 2524 Imeggc32.exe 1644 Ikggbpgd.exe 2504 Ioccco32.exe 940 Ifmlpigj.exe 2700 Jilhldfn.exe 2676 Jgnhga32.exe 2684 Joepio32.exe 2276 Jbdlejmn.exe 1676 Jebiaelb.exe 1248 Jinead32.exe 584 Jnkmjk32.exe 2120 Jbfijjkl.exe 3048 Jaiiff32.exe 1552 Jgcabqic.exe 1848 Jmpjkggj.exe 960 Jegble32.exe 2376 Jcjbgaog.exe 1180 Jgenhp32.exe 2228 Jjdkdl32.exe 2852 Jnofejom.exe 2648 Jpqclb32.exe 1192 Jclomamd.exe 3012 Jfkkimlh.exe 2732 Jiigehkl.exe 1616 Jiigehkl.exe 1860 Kappfeln.exe 1868 Kbalnnam.exe 2692 Kfmhol32.exe 1480 Kjhdokbo.exe 1528 Kikdkh32.exe 564 Kljqgc32.exe 1628 Kcahhq32.exe 1916 Kbcicmpj.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 2372 Hnandi32.exe 2372 Hnandi32.exe 1420 Hgjbmoob.exe 1420 Hgjbmoob.exe 2600 Hndkji32.exe 2600 Hndkji32.exe 2584 Hqbgfd32.exe 2584 Hqbgfd32.exe 2476 Hhioga32.exe 2476 Hhioga32.exe 2512 Hkhkcm32.exe 2512 Hkhkcm32.exe 1196 Hnfgphdl.exe 1196 Hnfgphdl.exe 2960 Hbbcpg32.exe 2960 Hbbcpg32.exe 2520 Hdpplb32.exe 2520 Hdpplb32.exe 1576 Hgolhn32.exe 1576 Hgolhn32.exe 1308 Hkjhimcf.exe 1308 Hkjhimcf.exe 2800 Inhdehbj.exe 2800 Inhdehbj.exe 2784 Imkdqe32.exe 2784 Imkdqe32.exe 2924 Icemmopa.exe 2924 Icemmopa.exe 2052 Igainn32.exe 2052 Igainn32.exe 324 Ijoeji32.exe 324 Ijoeji32.exe 1436 Imnafd32.exe 1436 Imnafd32.exe 2548 Iqimgc32.exe 2548 Iqimgc32.exe 2744 Iolmbpfe.exe 2744 Iolmbpfe.exe 448 Ichico32.exe 448 Ichico32.exe 3068 Igcecmfg.exe 3068 Igcecmfg.exe 1792 Iffeoj32.exe 1792 Iffeoj32.exe 1132 Ijaapifk.exe 1132 Ijaapifk.exe 1204 Iidbke32.exe 1204 Iidbke32.exe 704 Iqljlb32.exe 704 Iqljlb32.exe 1692 Icjfhn32.exe 1692 Icjfhn32.exe 2352 Ijdnehci.exe 2352 Ijdnehci.exe 2972 Ikekmq32.exe 2972 Ikekmq32.exe 2808 Iclcnnji.exe 2808 Iclcnnji.exe 2712 Ibocjk32.exe 2712 Ibocjk32.exe 2752 Ifkojiim.exe 2752 Ifkojiim.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Loapim32.exe Lkfciogm.exe File opened for modification C:\Windows\SysWOW64\Moalhq32.exe Mlcple32.exe File created C:\Windows\SysWOW64\Fnnajckm.dll Ongnonkb.exe File created C:\Windows\SysWOW64\Ljenlcfa.dll Epaogi32.exe File created C:\Windows\SysWOW64\Fkckeh32.exe Fmpkjkma.exe File created C:\Windows\SysWOW64\Eiojgnpb.dll Ahchbf32.exe File created C:\Windows\SysWOW64\Bjijdadm.exe Bgknheej.exe File opened for modification C:\Windows\SysWOW64\Ifnechbj.exe Igkdgk32.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Ohibdf32.exe File opened for modification C:\Windows\SysWOW64\Hnandi32.exe 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Hgolhn32.exe Hdpplb32.exe File created C:\Windows\SysWOW64\Djmccf32.dll Idmhkpml.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kjqccigf.exe File created C:\Windows\SysWOW64\Apimacnn.exe Alnqqd32.exe File created C:\Windows\SysWOW64\Bpleef32.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Emnndlod.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Kphimanc.exe Kmimafop.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Aepojo32.exe File opened for modification C:\Windows\SysWOW64\Bfekgp32.dll Fbgmbg32.exe File created C:\Windows\SysWOW64\Igihbknb.exe Idklfpon.exe File created C:\Windows\SysWOW64\Npnhlg32.exe Njdpomfe.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nlphkb32.exe File created C:\Windows\SysWOW64\Abhimnma.exe Apimacnn.exe File created C:\Windows\SysWOW64\Bdacap32.dll Eqgnokip.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Chbjffad.exe File opened for modification C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File created C:\Windows\SysWOW64\Ldqegd32.exe Labhkh32.exe File created C:\Windows\SysWOW64\Bnpmipql.exe Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bfadgq32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Jbnhng32.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dbhnhp32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Nmjblg32.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Ohibdf32.exe Ofjfhk32.exe File opened for modification C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File created C:\Windows\SysWOW64\Bgpokk32.dll Pbmmcq32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cbnbobin.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Npfgpe32.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cohigamf.exe File created C:\Windows\SysWOW64\Khcnad32.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Fndldonj.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Jjdkdl32.exe Jgenhp32.exe File created C:\Windows\SysWOW64\Kffbcfgd.dll Onphoo32.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Flabbihl.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Behnnm32.exe File opened for modification C:\Windows\SysWOW64\Jnclnihj.exe Jkdpanhg.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Nocemcbj.exe Nleiqhcg.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aajpelhl.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Nmqcdceo.dll Jegble32.exe File created C:\Windows\SysWOW64\Kedaeh32.exe Kbfeimng.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Dkmmhf32.exe File created C:\Windows\SysWOW64\Ecfecaop.dll Nfkpdn32.exe File created C:\Windows\SysWOW64\Lilchoah.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Eloemi32.exe Egdilkbf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7556 7492 WerFault.exe 773 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklemhne.dll" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll" Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopljni.dll" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgpfqll.dll" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Ampqjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfcak32.dll" Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgcjoog.dll" Jbfijjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjdkdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Libgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkjlm32.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnandi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" Djnpnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Clilkfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cngcjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dglpbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kikdkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmdpejfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbkcj32.dll" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Bemgilhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kljqgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lecgje32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2372 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 28 PID 2380 wrote to memory of 2372 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 28 PID 2380 wrote to memory of 2372 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 28 PID 2380 wrote to memory of 2372 2380 068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 1420 2372 Hnandi32.exe 29 PID 2372 wrote to memory of 1420 2372 Hnandi32.exe 29 PID 2372 wrote to memory of 1420 2372 Hnandi32.exe 29 PID 2372 wrote to memory of 1420 2372 Hnandi32.exe 29 PID 1420 wrote to memory of 2600 1420 Hgjbmoob.exe 30 PID 1420 wrote to memory of 2600 1420 Hgjbmoob.exe 30 PID 1420 wrote to memory of 2600 1420 Hgjbmoob.exe 30 PID 1420 wrote to memory of 2600 1420 Hgjbmoob.exe 30 PID 2600 wrote to memory of 2584 2600 Hndkji32.exe 31 PID 2600 wrote to memory of 2584 2600 Hndkji32.exe 31 PID 2600 wrote to memory of 2584 2600 Hndkji32.exe 31 PID 2600 wrote to memory of 2584 2600 Hndkji32.exe 31 PID 2584 wrote to memory of 2476 2584 Hqbgfd32.exe 32 PID 2584 wrote to memory of 2476 2584 Hqbgfd32.exe 32 PID 2584 wrote to memory of 2476 2584 Hqbgfd32.exe 32 PID 2584 wrote to memory of 2476 2584 Hqbgfd32.exe 32 PID 2476 wrote to memory of 2512 2476 Hhioga32.exe 33 PID 2476 wrote to memory of 2512 2476 Hhioga32.exe 33 PID 2476 wrote to memory of 2512 2476 Hhioga32.exe 33 PID 2476 wrote to memory of 2512 2476 Hhioga32.exe 33 PID 2512 wrote to memory of 1196 2512 Hkhkcm32.exe 34 PID 2512 wrote to memory of 1196 2512 Hkhkcm32.exe 34 PID 2512 wrote to memory of 1196 2512 Hkhkcm32.exe 34 PID 2512 wrote to memory of 1196 2512 Hkhkcm32.exe 34 PID 1196 wrote to memory of 2960 1196 Hnfgphdl.exe 35 PID 1196 wrote to memory of 2960 1196 Hnfgphdl.exe 35 PID 1196 wrote to memory of 2960 1196 Hnfgphdl.exe 35 PID 1196 wrote to memory of 2960 1196 Hnfgphdl.exe 35 PID 2960 wrote to memory of 2520 2960 Hbbcpg32.exe 36 PID 2960 wrote to memory of 2520 2960 Hbbcpg32.exe 36 PID 2960 wrote to memory of 2520 2960 Hbbcpg32.exe 36 PID 2960 wrote to memory of 2520 2960 Hbbcpg32.exe 36 PID 2520 wrote to memory of 1576 2520 Hdpplb32.exe 37 PID 2520 wrote to memory of 1576 2520 Hdpplb32.exe 37 PID 2520 wrote to memory of 1576 2520 Hdpplb32.exe 37 PID 2520 wrote to memory of 1576 2520 Hdpplb32.exe 37 PID 1576 wrote to memory of 1308 1576 Hgolhn32.exe 38 PID 1576 wrote to memory of 1308 1576 Hgolhn32.exe 38 PID 1576 wrote to memory of 1308 1576 Hgolhn32.exe 38 PID 1576 wrote to memory of 1308 1576 Hgolhn32.exe 38 PID 1308 wrote to memory of 2800 1308 Hkjhimcf.exe 39 PID 1308 wrote to memory of 2800 1308 Hkjhimcf.exe 39 PID 1308 wrote to memory of 2800 1308 Hkjhimcf.exe 39 PID 1308 wrote to memory of 2800 1308 Hkjhimcf.exe 39 PID 2800 wrote to memory of 2784 2800 Inhdehbj.exe 40 PID 2800 wrote to memory of 2784 2800 Inhdehbj.exe 40 PID 2800 wrote to memory of 2784 2800 Inhdehbj.exe 40 PID 2800 wrote to memory of 2784 2800 Inhdehbj.exe 40 PID 2784 wrote to memory of 2924 2784 Imkdqe32.exe 41 PID 2784 wrote to memory of 2924 2784 Imkdqe32.exe 41 PID 2784 wrote to memory of 2924 2784 Imkdqe32.exe 41 PID 2784 wrote to memory of 2924 2784 Imkdqe32.exe 41 PID 2924 wrote to memory of 2052 2924 Icemmopa.exe 42 PID 2924 wrote to memory of 2052 2924 Icemmopa.exe 42 PID 2924 wrote to memory of 2052 2924 Icemmopa.exe 42 PID 2924 wrote to memory of 2052 2924 Icemmopa.exe 42 PID 2052 wrote to memory of 324 2052 Igainn32.exe 43 PID 2052 wrote to memory of 324 2052 Igainn32.exe 43 PID 2052 wrote to memory of 324 2052 Igainn32.exe 43 PID 2052 wrote to memory of 324 2052 Igainn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\068e0c70195a7fb9959f06e1859fb1d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Hnandi32.exeC:\Windows\system32\Hnandi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Imnafd32.exeC:\Windows\system32\Imnafd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe33⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe36⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe37⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe38⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe39⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe40⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe41⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe42⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe43⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe45⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe46⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe47⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe49⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe52⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe54⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe55⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe56⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe57⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe58⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe59⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe60⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe61⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe65⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe66⤵PID:696
-
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe67⤵PID:684
-
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe68⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe69⤵PID:600
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe71⤵
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe72⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe73⤵PID:2608
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe74⤵PID:1804
-
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe75⤵PID:2188
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe76⤵PID:2348
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe77⤵PID:2628
-
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe78⤵PID:936
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe79⤵PID:2840
-
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe80⤵PID:2760
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe81⤵PID:1788
-
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe83⤵PID:776
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe84⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe85⤵PID:1812
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe86⤵PID:3016
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe87⤵PID:1076
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe88⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe89⤵PID:2516
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe90⤵PID:2728
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe91⤵PID:2540
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe92⤵PID:2696
-
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe93⤵PID:2792
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe94⤵PID:1816
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe95⤵PID:1796
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe96⤵PID:1460
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe98⤵PID:644
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe99⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe100⤵PID:2288
-
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe101⤵PID:2508
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe102⤵PID:2672
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe103⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe104⤵PID:2572
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe105⤵PID:1104
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe106⤵PID:1744
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe107⤵PID:1988
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe109⤵PID:864
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe110⤵PID:900
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe111⤵PID:2668
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe112⤵PID:2536
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe113⤵PID:2656
-
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe114⤵PID:2448
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe115⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe116⤵PID:1668
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe117⤵PID:2444
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe118⤵PID:1956
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe119⤵PID:1648
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe120⤵PID:2284
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe121⤵PID:1640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-