Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 18:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe
-
Size
352KB
-
MD5
1328c3a6ca0f6692015500c36a1f92d0
-
SHA1
be1d02d4aa8de3301a5690f1932acd103d2c9b00
-
SHA256
2021056e6493ab4691cb810e585b5d5673ef38f1ff3acb804711abb2079b6c83
-
SHA512
2bfd8075072aaffd131665d78024f11a174dd3ff921c8304550542bd6782b629f54441efe0792b8b4a7bad0489c28ef3db23c4727a8a2a7587b57f83aff53a2f
-
SSDEEP
6144:+zOT+wZEkq2z9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:kOHZEkQsUasUqsU6sp
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphgln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgddam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenakoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgciff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coladm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikhgqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bikjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foolgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjeejep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oagoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcnonob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeoidik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmkfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foojop32.exe -
Executes dropped EXE 64 IoCs
pid Process 2504 Jajala32.exe 2684 Kfjggo32.exe 2544 Kjoifb32.exe 2736 Kddmdk32.exe 2488 Lflplbpi.exe 552 Lgpiij32.exe 548 Mapccndn.exe 1384 Mikhgqbi.exe 2708 Nianhplq.exe 2004 Nbjcqe32.exe 1964 Ndnlnm32.exe 1272 Oklnff32.exe 2172 Oiakgcnl.exe 1104 Oehklddp.exe 2380 Oghhfg32.exe 2980 Ocohkh32.exe 2780 Pcaepg32.exe 1692 Pohfehdi.exe 2972 Pgckjk32.exe 1168 Pkacpihj.exe 1544 Aoohekal.exe 300 Ajjfkh32.exe 2056 Bffpki32.exe 1980 Bcjqdmla.exe 2176 Cpcnonob.exe 2164 Cohkpj32.exe 1608 Cojhejbh.exe 2664 Cffljlpc.exe 2624 Dohgomgf.exe 2616 Dhplhc32.exe 2444 Diphbfdi.exe 2852 Ehgbhbgn.exe 1956 Eabcggll.exe 2024 Epgphcqd.exe 976 Fjbafi32.exe 2716 Foojop32.exe 2864 Ffibkj32.exe 2012 Fdbhge32.exe 1648 Fgadda32.exe 1128 Gegabegc.exe 1836 Gnpflj32.exe 1764 Gfkkpmko.exe 1068 Gcokiaji.exe 776 Hfpdkl32.exe 1824 Hphidanj.exe 1840 Hhcmhdke.exe 2060 Halbai32.exe 2244 Hhejnc32.exe 1148 Hanogipc.exe 1676 Hhhgcc32.exe 2356 Hnbopmnm.exe 2108 Hfmddp32.exe 1928 Hndlem32.exe 2648 Ipehmebh.exe 2772 Iaeegh32.exe 2580 Ibfaopoi.exe 2252 Ipjahd32.exe 2700 Idfnicfl.exe 2392 Imnbbi32.exe 2876 Ioooiack.exe 2248 Ihhcbf32.exe 2500 Ioakoq32.exe 2348 Ielclkhe.exe 896 Jhjphfgi.exe -
Loads dropped DLL 64 IoCs
pid Process 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 2504 Jajala32.exe 2504 Jajala32.exe 2684 Kfjggo32.exe 2684 Kfjggo32.exe 2544 Kjoifb32.exe 2544 Kjoifb32.exe 2736 Kddmdk32.exe 2736 Kddmdk32.exe 2488 Lflplbpi.exe 2488 Lflplbpi.exe 552 Lgpiij32.exe 552 Lgpiij32.exe 548 Mapccndn.exe 548 Mapccndn.exe 1384 Mikhgqbi.exe 1384 Mikhgqbi.exe 2708 Nianhplq.exe 2708 Nianhplq.exe 2004 Nbjcqe32.exe 2004 Nbjcqe32.exe 1964 Ndnlnm32.exe 1964 Ndnlnm32.exe 1272 Oklnff32.exe 1272 Oklnff32.exe 2172 Oiakgcnl.exe 2172 Oiakgcnl.exe 1104 Oehklddp.exe 1104 Oehklddp.exe 2380 Oghhfg32.exe 2380 Oghhfg32.exe 2980 Ocohkh32.exe 2980 Ocohkh32.exe 2780 Pcaepg32.exe 2780 Pcaepg32.exe 1692 Pohfehdi.exe 1692 Pohfehdi.exe 2972 Pgckjk32.exe 2972 Pgckjk32.exe 1168 Pkacpihj.exe 1168 Pkacpihj.exe 1544 Aoohekal.exe 1544 Aoohekal.exe 300 Ajjfkh32.exe 300 Ajjfkh32.exe 2056 Bffpki32.exe 2056 Bffpki32.exe 1980 Bcjqdmla.exe 1980 Bcjqdmla.exe 2176 Cpcnonob.exe 2176 Cpcnonob.exe 2164 Cohkpj32.exe 2164 Cohkpj32.exe 1608 Cojhejbh.exe 1608 Cojhejbh.exe 2664 Cffljlpc.exe 2664 Cffljlpc.exe 2624 Dohgomgf.exe 2624 Dohgomgf.exe 2616 Dhplhc32.exe 2616 Dhplhc32.exe 2444 Diphbfdi.exe 2444 Diphbfdi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Nklpbacp.dll Kenoifpb.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bceibfgj.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Opialpld.exe File created C:\Windows\SysWOW64\Lhnmoo32.exe Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Kddmdk32.exe Kjoifb32.exe File opened for modification C:\Windows\SysWOW64\Lflplbpi.exe Kddmdk32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Eeaepd32.exe File opened for modification C:\Windows\SysWOW64\Kcgphp32.exe Kjokokha.exe File created C:\Windows\SysWOW64\Nlcgpm32.dll Lhpglecl.exe File opened for modification C:\Windows\SysWOW64\Miapbpmb.exe Mmjomogn.exe File opened for modification C:\Windows\SysWOW64\Cchdpbog.exe Cnklgkap.exe File created C:\Windows\SysWOW64\Kmficl32.exe Kjepaa32.exe File created C:\Windows\SysWOW64\Hanogipc.exe Hhejnc32.exe File created C:\Windows\SysWOW64\Gchfle32.dll Jeafjiop.exe File created C:\Windows\SysWOW64\Eheglk32.exe Dbiocd32.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Kadica32.exe Kkjpggkn.exe File created C:\Windows\SysWOW64\Onipnblf.dll Mhjcec32.exe File created C:\Windows\SysWOW64\Ncpdbohb.exe Nijpdfhm.exe File created C:\Windows\SysWOW64\Qbkalpla.dll Eicpcm32.exe File created C:\Windows\SysWOW64\Liolokfg.dll Omefkplm.exe File created C:\Windows\SysWOW64\Gcbabpcf.exe Folfoj32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Hkgioloi.dll Hofngkga.exe File created C:\Windows\SysWOW64\Eiilephi.dll Ljigih32.exe File created C:\Windows\SysWOW64\Ophppo32.dll Adiaommc.exe File created C:\Windows\SysWOW64\Okjnobhq.dll Hfmddp32.exe File created C:\Windows\SysWOW64\Pqgono32.dll Ddblgn32.exe File created C:\Windows\SysWOW64\Lcjlnpmo.exe Kjahej32.exe File opened for modification C:\Windows\SysWOW64\Igmepdbc.exe Hhfkihon.exe File created C:\Windows\SysWOW64\Ejapnc32.dll Mhkfnlme.exe File opened for modification C:\Windows\SysWOW64\Ijkocg32.exe Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Ppmgfb32.exe Pmmneg32.exe File created C:\Windows\SysWOW64\Ndfkbpjk.dll Ahngomkd.exe File created C:\Windows\SysWOW64\Dohgomgf.exe Cffljlpc.exe File created C:\Windows\SysWOW64\Halbai32.exe Hhcmhdke.exe File created C:\Windows\SysWOW64\Kmkejc32.dll Hndlem32.exe File created C:\Windows\SysWOW64\Jcidje32.dll Hakkgc32.exe File created C:\Windows\SysWOW64\Egajnfoe.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Dinpnged.exe Dpfkeb32.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Dhplhc32.exe File opened for modification C:\Windows\SysWOW64\Daofpchf.exe Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Dhhhbg32.exe File opened for modification C:\Windows\SysWOW64\Ghbljk32.exe Gojhafnb.exe File opened for modification C:\Windows\SysWOW64\Ndnlnm32.exe Nbjcqe32.exe File created C:\Windows\SysWOW64\Afffenbp.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Opaqpn32.exe Ofilgh32.exe File created C:\Windows\SysWOW64\Fbfflo32.dll Djicmk32.exe File created C:\Windows\SysWOW64\Imlmlm32.dll Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Pdonhj32.exe Omefkplm.exe File created C:\Windows\SysWOW64\Hboddk32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Mphaobfe.dll Ohfcfb32.exe File created C:\Windows\SysWOW64\Bmhdihjd.dll Mmjomogn.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Jajala32.exe File created C:\Windows\SysWOW64\Hfmddp32.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Neqnqofm.exe Nlhjhi32.exe File created C:\Windows\SysWOW64\Hqfaldbo.exe Gcbabpcf.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nidmfh32.exe File created C:\Windows\SysWOW64\Fpcgndfi.dll Ghacfmic.exe File created C:\Windows\SysWOW64\Dmplbgpm.dll Ijaaae32.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Ejdfqogm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1912 1548 WerFault.exe 529 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diphbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejecol32.dll" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmahg32.dll" Edlhqlfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feiddbbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbogmnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meecopha.dll" Gnpflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdonhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehngihn.dll" Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apofpf32.dll" Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjoa32.dll" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnhaca.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlbn32.dll" Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocohkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmfkmah.dll" Hiclkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najeid32.dll" Kaholp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nobndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnobhq.dll" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfbpega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnkopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfaopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlhjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlapaeh.dll" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcighi32.dll" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll" Lhpglecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll" Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmecdp32.dll" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehhiell.dll" Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnqama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Ibfmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfcdblf.dll" Cffljlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklodf32.dll" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckefai.dll" Nnodgbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elebllmi.dll" Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgnola.dll" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll" Kadica32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2504 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2504 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2504 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2504 2656 1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe 28 PID 2504 wrote to memory of 2684 2504 Jajala32.exe 29 PID 2504 wrote to memory of 2684 2504 Jajala32.exe 29 PID 2504 wrote to memory of 2684 2504 Jajala32.exe 29 PID 2504 wrote to memory of 2684 2504 Jajala32.exe 29 PID 2684 wrote to memory of 2544 2684 Kfjggo32.exe 30 PID 2684 wrote to memory of 2544 2684 Kfjggo32.exe 30 PID 2684 wrote to memory of 2544 2684 Kfjggo32.exe 30 PID 2684 wrote to memory of 2544 2684 Kfjggo32.exe 30 PID 2544 wrote to memory of 2736 2544 Kjoifb32.exe 31 PID 2544 wrote to memory of 2736 2544 Kjoifb32.exe 31 PID 2544 wrote to memory of 2736 2544 Kjoifb32.exe 31 PID 2544 wrote to memory of 2736 2544 Kjoifb32.exe 31 PID 2736 wrote to memory of 2488 2736 Kddmdk32.exe 32 PID 2736 wrote to memory of 2488 2736 Kddmdk32.exe 32 PID 2736 wrote to memory of 2488 2736 Kddmdk32.exe 32 PID 2736 wrote to memory of 2488 2736 Kddmdk32.exe 32 PID 2488 wrote to memory of 552 2488 Lflplbpi.exe 33 PID 2488 wrote to memory of 552 2488 Lflplbpi.exe 33 PID 2488 wrote to memory of 552 2488 Lflplbpi.exe 33 PID 2488 wrote to memory of 552 2488 Lflplbpi.exe 33 PID 552 wrote to memory of 548 552 Lgpiij32.exe 34 PID 552 wrote to memory of 548 552 Lgpiij32.exe 34 PID 552 wrote to memory of 548 552 Lgpiij32.exe 34 PID 552 wrote to memory of 548 552 Lgpiij32.exe 34 PID 548 wrote to memory of 1384 548 Mapccndn.exe 35 PID 548 wrote to memory of 1384 548 Mapccndn.exe 35 PID 548 wrote to memory of 1384 548 Mapccndn.exe 35 PID 548 wrote to memory of 1384 548 Mapccndn.exe 35 PID 1384 wrote to memory of 2708 1384 Mikhgqbi.exe 36 PID 1384 wrote to memory of 2708 1384 Mikhgqbi.exe 36 PID 1384 wrote to memory of 2708 1384 Mikhgqbi.exe 36 PID 1384 wrote to memory of 2708 1384 Mikhgqbi.exe 36 PID 2708 wrote to memory of 2004 2708 Nianhplq.exe 37 PID 2708 wrote to memory of 2004 2708 Nianhplq.exe 37 PID 2708 wrote to memory of 2004 2708 Nianhplq.exe 37 PID 2708 wrote to memory of 2004 2708 Nianhplq.exe 37 PID 2004 wrote to memory of 1964 2004 Nbjcqe32.exe 38 PID 2004 wrote to memory of 1964 2004 Nbjcqe32.exe 38 PID 2004 wrote to memory of 1964 2004 Nbjcqe32.exe 38 PID 2004 wrote to memory of 1964 2004 Nbjcqe32.exe 38 PID 1964 wrote to memory of 1272 1964 Ndnlnm32.exe 39 PID 1964 wrote to memory of 1272 1964 Ndnlnm32.exe 39 PID 1964 wrote to memory of 1272 1964 Ndnlnm32.exe 39 PID 1964 wrote to memory of 1272 1964 Ndnlnm32.exe 39 PID 1272 wrote to memory of 2172 1272 Oklnff32.exe 40 PID 1272 wrote to memory of 2172 1272 Oklnff32.exe 40 PID 1272 wrote to memory of 2172 1272 Oklnff32.exe 40 PID 1272 wrote to memory of 2172 1272 Oklnff32.exe 40 PID 2172 wrote to memory of 1104 2172 Oiakgcnl.exe 41 PID 2172 wrote to memory of 1104 2172 Oiakgcnl.exe 41 PID 2172 wrote to memory of 1104 2172 Oiakgcnl.exe 41 PID 2172 wrote to memory of 1104 2172 Oiakgcnl.exe 41 PID 1104 wrote to memory of 2380 1104 Oehklddp.exe 42 PID 1104 wrote to memory of 2380 1104 Oehklddp.exe 42 PID 1104 wrote to memory of 2380 1104 Oehklddp.exe 42 PID 1104 wrote to memory of 2380 1104 Oehklddp.exe 42 PID 2380 wrote to memory of 2980 2380 Oghhfg32.exe 43 PID 2380 wrote to memory of 2980 2380 Oghhfg32.exe 43 PID 2380 wrote to memory of 2980 2380 Oghhfg32.exe 43 PID 2380 wrote to memory of 2980 2380 Oghhfg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1328c3a6ca0f6692015500c36a1f92d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:300 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe33⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe34⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe35⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe36⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe38⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe40⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe41⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe43⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe44⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe45⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe46⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe50⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe51⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe58⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe61⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe62⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe63⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe64⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe65⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe66⤵PID:772
-
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe67⤵PID:1740
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe68⤵PID:1132
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe69⤵PID:2096
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe70⤵PID:2508
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe73⤵PID:2132
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe74⤵PID:1056
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe76⤵PID:2124
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe79⤵PID:2632
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe80⤵PID:2520
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe82⤵PID:2844
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe84⤵PID:2480
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe85⤵PID:588
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe86⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe87⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe88⤵PID:1936
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe89⤵PID:2080
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe90⤵PID:804
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe91⤵PID:2216
-
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe92⤵PID:2092
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe93⤵PID:1248
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe94⤵PID:2084
-
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe95⤵PID:1252
-
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe96⤵PID:792
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe97⤵PID:1628
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe98⤵PID:1976
-
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe100⤵PID:1700
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe101⤵PID:1968
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe102⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe103⤵PID:2908
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe104⤵PID:2420
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe105⤵PID:2456
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe106⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:488 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe108⤵PID:1852
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe109⤵PID:340
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe110⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe111⤵PID:3036
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe112⤵PID:2936
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe113⤵PID:2340
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe114⤵PID:1040
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe115⤵PID:1732
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe116⤵PID:1848
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe117⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe118⤵PID:268
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe119⤵PID:1780
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe120⤵
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe121⤵
- Drops file in System32 directory
PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-