Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 19:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe
-
Size
322KB
-
MD5
20e506e7001ae569bcd725d4277cd560
-
SHA1
393e5ce7905af2679ea845c06071c43747aab639
-
SHA256
acd8953376af19eaf3295dd994defddbf93f3f7749ac45d5924530a37fc0a48d
-
SHA512
56fdac06134aaf6bc26914cf225bc6cf60098b7564811776fb90145ff7e1ad516a6103be6a5d33aed3f12696bb07d1a3aca956ce19a3c6e48e8db379c4a0c80f
-
SSDEEP
1536:aajeRJPPrBQZ5loubkzVizAB21RQTTmDhdF+PhJFTq1dlCsTx4LB:lQJPPVQZ/BGWAB6eTSVGZ3Odl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibhndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfejcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmafg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimcclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilcoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbaken32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkkjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcbgkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahhgnkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnojacgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoigpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cejphiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okojkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Incbgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjlpom.exe -
Executes dropped EXE 64 IoCs
pid Process 1748 Ondajnme.exe 2912 Ofpfnqjp.exe 2340 Pgobhcac.exe 2732 Paggai32.exe 3044 Plahag32.exe 2836 Piehkkcl.exe 2744 Pigeqkai.exe 2936 Pndniaop.exe 1444 Qhmbagfa.exe 632 Qljkhe32.exe 1948 Qmlgonbe.exe 1964 Qecoqk32.exe 1028 Aalmklfi.exe 2620 Ajdadamj.exe 2284 Alhjai32.exe 484 Aepojo32.exe 1844 Blmdlhmp.exe 1924 Bokphdld.exe 2876 Bbflib32.exe 784 Bhcdaibd.exe 1544 Balijo32.exe 792 Bdjefj32.exe 2020 Bopicc32.exe 2304 Bpafkknm.exe 3040 Bkfjhd32.exe 2364 Bnefdp32.exe 2988 Cjlgiqbk.exe 2888 Cljcelan.exe 2904 Cllpkl32.exe 2444 Cgbdhd32.exe 2716 Cfeddafl.exe 2736 Cciemedf.exe 2556 Claifkkf.exe 2684 Cbnbobin.exe 2524 Clcflkic.exe 1916 Cobbhfhg.exe 1776 Dgmglh32.exe 1508 Dbbkja32.exe 2004 Dgodbh32.exe 1904 Dnilobkm.exe 2508 Dcfdgiid.exe 1756 Dkmmhf32.exe 2368 Dchali32.exe 584 Dmafennb.exe 1240 Dcknbh32.exe 1804 Dfijnd32.exe 2884 Emcbkn32.exe 1744 Ecmkghcl.exe 612 Eflgccbp.exe 2044 Eijcpoac.exe 1604 Epdkli32.exe 2124 Ebbgid32.exe 888 Efncicpm.exe 2980 Eilpeooq.exe 2952 Eecqjpee.exe 2928 Epieghdk.exe 856 Enkece32.exe 2652 Eajaoq32.exe 2792 Eiaiqn32.exe 2740 Ennaieib.exe 2572 Ebinic32.exe 2164 Fhffaj32.exe 1952 Flabbihl.exe 2324 Fnpnndgp.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 1748 Ondajnme.exe 1748 Ondajnme.exe 2912 Ofpfnqjp.exe 2912 Ofpfnqjp.exe 2340 Pgobhcac.exe 2340 Pgobhcac.exe 2732 Paggai32.exe 2732 Paggai32.exe 3044 Plahag32.exe 3044 Plahag32.exe 2836 Piehkkcl.exe 2836 Piehkkcl.exe 2744 Pigeqkai.exe 2744 Pigeqkai.exe 2936 Pndniaop.exe 2936 Pndniaop.exe 1444 Qhmbagfa.exe 1444 Qhmbagfa.exe 632 Qljkhe32.exe 632 Qljkhe32.exe 1948 Qmlgonbe.exe 1948 Qmlgonbe.exe 1964 Qecoqk32.exe 1964 Qecoqk32.exe 1028 Aalmklfi.exe 1028 Aalmklfi.exe 2620 Ajdadamj.exe 2620 Ajdadamj.exe 2284 Alhjai32.exe 2284 Alhjai32.exe 484 Aepojo32.exe 484 Aepojo32.exe 1844 Blmdlhmp.exe 1844 Blmdlhmp.exe 1924 Bokphdld.exe 1924 Bokphdld.exe 2876 Bbflib32.exe 2876 Bbflib32.exe 784 Bhcdaibd.exe 784 Bhcdaibd.exe 1544 Balijo32.exe 1544 Balijo32.exe 792 Bdjefj32.exe 792 Bdjefj32.exe 2020 Bopicc32.exe 2020 Bopicc32.exe 2304 Bpafkknm.exe 2304 Bpafkknm.exe 3040 Bkfjhd32.exe 3040 Bkfjhd32.exe 2364 Bnefdp32.exe 2364 Bnefdp32.exe 2988 Cjlgiqbk.exe 2988 Cjlgiqbk.exe 2888 Cljcelan.exe 2888 Cljcelan.exe 2904 Cllpkl32.exe 2904 Cllpkl32.exe 2444 Cgbdhd32.exe 2444 Cgbdhd32.exe 2716 Cfeddafl.exe 2716 Cfeddafl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ebcjamoh.exe Eqamje32.exe File created C:\Windows\SysWOW64\Imlkna32.dll Cophko32.exe File created C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe File opened for modification C:\Windows\SysWOW64\Padeldeo.exe Pkjmoj32.exe File created C:\Windows\SysWOW64\Qjjgclai.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Dnjngk32.exe Dgpfkakd.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Apoooa32.exe File created C:\Windows\SysWOW64\Fjmaaddo.exe Fhneehek.exe File created C:\Windows\SysWOW64\Jbdnbdld.dll Meoell32.exe File opened for modification C:\Windows\SysWOW64\Pahogc32.exe Pnmcfeia.exe File created C:\Windows\SysWOW64\Adpkee32.exe Amfcikek.exe File created C:\Windows\SysWOW64\Lhefhd32.dll Fmbhok32.exe File created C:\Windows\SysWOW64\Knpemf32.exe Kgemplap.exe File created C:\Windows\SysWOW64\Fmkilb32.exe Process not Found File created C:\Windows\SysWOW64\Eecqjpee.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Ecejkf32.exe File created C:\Windows\SysWOW64\Pjcckf32.exe Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Ldoimh32.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Llpenogi.dll Mlhnifmq.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hlakpp32.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Lijfoo32.dll Pkpagq32.exe File created C:\Windows\SysWOW64\Akaneplm.dll Ibckfa32.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Process not Found File created C:\Windows\SysWOW64\Lpdhmlbj.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Eacpijip.dll Eniclh32.exe File created C:\Windows\SysWOW64\Qdnpmb32.dll Iipiljgf.exe File opened for modification C:\Windows\SysWOW64\Gpmjak32.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Oaaifdhb.exe Ooclji32.exe File created C:\Windows\SysWOW64\Jlamphei.dll Process not Found File created C:\Windows\SysWOW64\Oggfcl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Process not Found File created C:\Windows\SysWOW64\Ogqhpm32.dll Process not Found File created C:\Windows\SysWOW64\Ceebklai.exe Process not Found File created C:\Windows\SysWOW64\Ihfjognl.exe Idknoi32.exe File opened for modification C:\Windows\SysWOW64\Cophko32.exe Clalod32.exe File opened for modification C:\Windows\SysWOW64\Bfagpiam.exe Bepjha32.exe File created C:\Windows\SysWOW64\Ffibkj32.exe Fbmfkkbm.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Process not Found File created C:\Windows\SysWOW64\Qppkfhlc.exe Process not Found File created C:\Windows\SysWOW64\Qkekligg.dll Fhqbkhch.exe File opened for modification C:\Windows\SysWOW64\Kblhgk32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gdniqh32.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Ceeieced.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fnflke32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Hogmmjfo.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Hdildlie.exe Heglio32.exe File created C:\Windows\SysWOW64\Kgckfd32.dll Bmnlbcfg.exe File created C:\Windows\SysWOW64\Mgjebg32.exe Melifl32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Flabbihl.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Ndmjqgdd.dll Bmeimhdj.exe File created C:\Windows\SysWOW64\Ggfnopfg.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Ibhndp32.exe Imleli32.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Process not Found File created C:\Windows\SysWOW64\Dchali32.exe Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Qgmpibam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mieeibkn.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jofbag32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Process not Found -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Edggmg32.¾ll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgljbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dccagcgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplbqgdb.dll" Mgjebg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcaioco.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkcgmo.dll" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Delmmigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flaehkpo.dll" Lfolaang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqfcn32.dll" Nlpkdkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jofbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbecd32.dll" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Ocgpappk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkhpkoen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnpmfqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidhqcek.dll" Clooiddm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akhfoldn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmimme32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll" Lphhenhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hppfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fciang32.dll" Jjaimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlfejcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eknkpbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehhqjh.dll" Pkcpei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlncpkde.dll" Gnpmfqap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egglkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnjplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondii32.dll" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkhilpb.dll" Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epecbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bpleef32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1748 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 1748 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 1748 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 1748 2100 20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe 28 PID 1748 wrote to memory of 2912 1748 Ondajnme.exe 29 PID 1748 wrote to memory of 2912 1748 Ondajnme.exe 29 PID 1748 wrote to memory of 2912 1748 Ondajnme.exe 29 PID 1748 wrote to memory of 2912 1748 Ondajnme.exe 29 PID 2912 wrote to memory of 2340 2912 Ofpfnqjp.exe 30 PID 2912 wrote to memory of 2340 2912 Ofpfnqjp.exe 30 PID 2912 wrote to memory of 2340 2912 Ofpfnqjp.exe 30 PID 2912 wrote to memory of 2340 2912 Ofpfnqjp.exe 30 PID 2340 wrote to memory of 2732 2340 Pgobhcac.exe 31 PID 2340 wrote to memory of 2732 2340 Pgobhcac.exe 31 PID 2340 wrote to memory of 2732 2340 Pgobhcac.exe 31 PID 2340 wrote to memory of 2732 2340 Pgobhcac.exe 31 PID 2732 wrote to memory of 3044 2732 Paggai32.exe 32 PID 2732 wrote to memory of 3044 2732 Paggai32.exe 32 PID 2732 wrote to memory of 3044 2732 Paggai32.exe 32 PID 2732 wrote to memory of 3044 2732 Paggai32.exe 32 PID 3044 wrote to memory of 2836 3044 Plahag32.exe 33 PID 3044 wrote to memory of 2836 3044 Plahag32.exe 33 PID 3044 wrote to memory of 2836 3044 Plahag32.exe 33 PID 3044 wrote to memory of 2836 3044 Plahag32.exe 33 PID 2836 wrote to memory of 2744 2836 Piehkkcl.exe 34 PID 2836 wrote to memory of 2744 2836 Piehkkcl.exe 34 PID 2836 wrote to memory of 2744 2836 Piehkkcl.exe 34 PID 2836 wrote to memory of 2744 2836 Piehkkcl.exe 34 PID 2744 wrote to memory of 2936 2744 Pigeqkai.exe 35 PID 2744 wrote to memory of 2936 2744 Pigeqkai.exe 35 PID 2744 wrote to memory of 2936 2744 Pigeqkai.exe 35 PID 2744 wrote to memory of 2936 2744 Pigeqkai.exe 35 PID 2936 wrote to memory of 1444 2936 Pndniaop.exe 36 PID 2936 wrote to memory of 1444 2936 Pndniaop.exe 36 PID 2936 wrote to memory of 1444 2936 Pndniaop.exe 36 PID 2936 wrote to memory of 1444 2936 Pndniaop.exe 36 PID 1444 wrote to memory of 632 1444 Qhmbagfa.exe 37 PID 1444 wrote to memory of 632 1444 Qhmbagfa.exe 37 PID 1444 wrote to memory of 632 1444 Qhmbagfa.exe 37 PID 1444 wrote to memory of 632 1444 Qhmbagfa.exe 37 PID 632 wrote to memory of 1948 632 Qljkhe32.exe 38 PID 632 wrote to memory of 1948 632 Qljkhe32.exe 38 PID 632 wrote to memory of 1948 632 Qljkhe32.exe 38 PID 632 wrote to memory of 1948 632 Qljkhe32.exe 38 PID 1948 wrote to memory of 1964 1948 Qmlgonbe.exe 39 PID 1948 wrote to memory of 1964 1948 Qmlgonbe.exe 39 PID 1948 wrote to memory of 1964 1948 Qmlgonbe.exe 39 PID 1948 wrote to memory of 1964 1948 Qmlgonbe.exe 39 PID 1964 wrote to memory of 1028 1964 Qecoqk32.exe 40 PID 1964 wrote to memory of 1028 1964 Qecoqk32.exe 40 PID 1964 wrote to memory of 1028 1964 Qecoqk32.exe 40 PID 1964 wrote to memory of 1028 1964 Qecoqk32.exe 40 PID 1028 wrote to memory of 2620 1028 Aalmklfi.exe 41 PID 1028 wrote to memory of 2620 1028 Aalmklfi.exe 41 PID 1028 wrote to memory of 2620 1028 Aalmklfi.exe 41 PID 1028 wrote to memory of 2620 1028 Aalmklfi.exe 41 PID 2620 wrote to memory of 2284 2620 Ajdadamj.exe 42 PID 2620 wrote to memory of 2284 2620 Ajdadamj.exe 42 PID 2620 wrote to memory of 2284 2620 Ajdadamj.exe 42 PID 2620 wrote to memory of 2284 2620 Ajdadamj.exe 42 PID 2284 wrote to memory of 484 2284 Alhjai32.exe 43 PID 2284 wrote to memory of 484 2284 Alhjai32.exe 43 PID 2284 wrote to memory of 484 2284 Alhjai32.exe 43 PID 2284 wrote to memory of 484 2284 Alhjai32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\20e506e7001ae569bcd725d4277cd560_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe33⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe34⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe36⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe39⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe40⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe41⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe42⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe46⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe48⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe49⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe50⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe51⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe52⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe53⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe54⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe56⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe59⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe61⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe62⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe63⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe65⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe66⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe68⤵PID:1308
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe69⤵PID:2268
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe70⤵PID:1692
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe71⤵PID:2468
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe72⤵PID:832
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe73⤵PID:1652
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe74⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe75⤵PID:2160
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe76⤵PID:1736
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe77⤵PID:2360
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe78⤵PID:2900
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe79⤵PID:2660
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe80⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe81⤵PID:2812
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe82⤵PID:2536
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe83⤵PID:1304
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe84⤵PID:2016
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe85⤵PID:1292
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe87⤵PID:1592
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe88⤵PID:2312
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe89⤵PID:1528
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe90⤵PID:1000
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe91⤵PID:2504
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe92⤵PID:1600
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe93⤵PID:2152
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe94⤵PID:2788
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe95⤵PID:2804
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe96⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe97⤵PID:1088
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe98⤵PID:1180
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe99⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe100⤵PID:696
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe101⤵PID:2292
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe102⤵PID:2272
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe103⤵PID:1428
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe104⤵PID:1344
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe105⤵PID:1856
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe106⤵PID:2440
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe107⤵PID:2328
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe108⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe109⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe110⤵PID:2764
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe111⤵PID:2852
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe112⤵PID:2592
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe113⤵PID:1960
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe114⤵PID:1216
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe115⤵PID:1328
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe117⤵PID:304
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe118⤵PID:332
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe119⤵PID:1848
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe120⤵PID:592
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe121⤵PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-