Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 07:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe
-
Size
128KB
-
MD5
bd8efdf31b165bcc1696d08578b018c0
-
SHA1
beec74aad9558ee93fc1160e4f4a6a0f60b1ed6e
-
SHA256
34558dd5ac1d7ab8753385fcc92b267d1cbeed8dbaaceed096c9d3e8d9c29bff
-
SHA512
42c494a2f454ddea0769a56cfed683e79c87a08d191fe33ac103e36b1759b6531743c18b7bfe4931b35fda2661387babbabd9ee5a291cc872cd8c6eaa6958605
-
SSDEEP
3072:52G9yxQU1GNZNwdLNi+WvneoSJdEN0s4WE+3S9pui6yYPaI7DX:l9yaU16MxSeRENm+3Mpui6yYPaI/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmmfkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjaonpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnennj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olonpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dccagcgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiommg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalfhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgpbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfbelipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhofjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmneda32.exe -
Executes dropped EXE 64 IoCs
pid Process 3036 Globlmmj.exe 2692 Ghfbqn32.exe 2720 Glaoalkh.exe 2564 Gldkfl32.exe 2408 Gelppaof.exe 2064 Gmgdddmq.exe 2744 Ggpimica.exe 2928 Gddifnbk.exe 1592 Hknach32.exe 2580 Hmlnoc32.exe 2688 Hicodd32.exe 616 Hpocfncj.exe 840 Hhjhkq32.exe 2376 Hodpgjha.exe 1764 Hhmepp32.exe 2256 Iknnbklc.exe 1140 Idfbkq32.exe 876 Igdogl32.exe 952 Iokfhi32.exe 1036 Ikbgmj32.exe 2888 Inqcif32.exe 2176 Ikddbj32.exe 980 Incpoe32.exe 896 Jjjacf32.exe 1952 Jmhmpb32.exe 2236 Jiondcpk.exe 2600 Jfcnngnd.exe 2536 Jmmfkafa.exe 3068 Jcgogk32.exe 2512 Jonplmcb.exe 3052 Jifdebic.exe 2788 Joplbl32.exe 2808 Kbqecg32.exe 2452 Keoapb32.exe 1444 Kngfih32.exe 1488 Kafbec32.exe 540 Knjbnh32.exe 488 Kahojc32.exe 1016 Kfegbj32.exe 2924 Kiccofna.exe 2492 Kcihlong.exe 1972 Kifpdelo.exe 1984 Lihmjejl.exe 1960 Llfifq32.exe 1716 Loeebl32.exe 1808 Leonofpp.exe 1776 Leonofpp.exe 1484 Lijjoe32.exe 2204 Logbhl32.exe 2876 Leajdfnm.exe 1948 Lhpfqama.exe 1640 Llkbap32.exe 2496 Lojomkdn.exe 2604 Lecgje32.exe 2704 Llnofpcg.exe 2396 Lollckbk.exe 2468 Lajhofao.exe 2804 Mhdplq32.exe 376 Mkclhl32.exe 2572 Mmahdggc.exe 1544 Mppepcfg.exe 324 Mhgmapfi.exe 984 Mmceigep.exe 1708 Maoajf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 3036 Globlmmj.exe 3036 Globlmmj.exe 2692 Ghfbqn32.exe 2692 Ghfbqn32.exe 2720 Glaoalkh.exe 2720 Glaoalkh.exe 2564 Gldkfl32.exe 2564 Gldkfl32.exe 2408 Gelppaof.exe 2408 Gelppaof.exe 2064 Gmgdddmq.exe 2064 Gmgdddmq.exe 2744 Ggpimica.exe 2744 Ggpimica.exe 2928 Gddifnbk.exe 2928 Gddifnbk.exe 1592 Hknach32.exe 1592 Hknach32.exe 2580 Hmlnoc32.exe 2580 Hmlnoc32.exe 2688 Hicodd32.exe 2688 Hicodd32.exe 616 Hpocfncj.exe 616 Hpocfncj.exe 840 Hhjhkq32.exe 840 Hhjhkq32.exe 2376 Hodpgjha.exe 2376 Hodpgjha.exe 1764 Hhmepp32.exe 1764 Hhmepp32.exe 2256 Iknnbklc.exe 2256 Iknnbklc.exe 1140 Idfbkq32.exe 1140 Idfbkq32.exe 876 Igdogl32.exe 876 Igdogl32.exe 952 Iokfhi32.exe 952 Iokfhi32.exe 1036 Ikbgmj32.exe 1036 Ikbgmj32.exe 2888 Inqcif32.exe 2888 Inqcif32.exe 2176 Ikddbj32.exe 2176 Ikddbj32.exe 980 Incpoe32.exe 980 Incpoe32.exe 896 Jjjacf32.exe 896 Jjjacf32.exe 1500 Jfqahgpg.exe 1500 Jfqahgpg.exe 2236 Jiondcpk.exe 2236 Jiondcpk.exe 2600 Jfcnngnd.exe 2600 Jfcnngnd.exe 2536 Jmmfkafa.exe 2536 Jmmfkafa.exe 3068 Jcgogk32.exe 3068 Jcgogk32.exe 2512 Jonplmcb.exe 2512 Jonplmcb.exe 3052 Jifdebic.exe 3052 Jifdebic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mgjcep32.dll Apdhjq32.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kincipnk.exe File created C:\Windows\SysWOW64\Effqclic.dll Mhhfdo32.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mlhkpm32.exe File opened for modification C:\Windows\SysWOW64\Ndkmpe32.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Bhndldcn.exe Aadloj32.exe File created C:\Windows\SysWOW64\Oagcgibo.dll Giieco32.exe File opened for modification C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Adnopfoj.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ednpej32.exe File created C:\Windows\SysWOW64\Ajcfjgdj.dll Oalfhf32.exe File created C:\Windows\SysWOW64\Bdmddc32.exe Baohhgnf.exe File opened for modification C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Qfahhm32.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Kceojp32.dll Hakphqja.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Bilmcf32.exe Afnagk32.exe File created C:\Windows\SysWOW64\Baohhgnf.exe Boplllob.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Ebjglbml.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Apdhjq32.exe File created C:\Windows\SysWOW64\Iknnbklc.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Iefmgahq.dll Baakhm32.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Ohhkjp32.exe File created C:\Windows\SysWOW64\Gebbnpfp.exe Gbcfadgl.exe File created C:\Windows\SysWOW64\Mpmapm32.exe Mmneda32.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Bdmddc32.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Oopnlacm.exe Ohfeog32.exe File opened for modification C:\Windows\SysWOW64\Adpkee32.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Dhnmij32.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Abofbl32.dll Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe Bfkpqn32.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Ogbknfbl.dll Kbfhbeek.exe File opened for modification C:\Windows\SysWOW64\Bonoflae.exe Blobjaba.exe File created C:\Windows\SysWOW64\Kafbec32.exe Kngfih32.exe File created C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File created C:\Windows\SysWOW64\Mbmjah32.exe Mponel32.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Dkmcgmjk.dll Oddpfc32.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Fbmcbbki.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Hkfagfop.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Mbbcbk32.dll Ikkjbe32.exe File created C:\Windows\SysWOW64\Mkoleq32.dll Kmgbdo32.exe File created C:\Windows\SysWOW64\Cjnolikh.dll Baohhgnf.exe File created C:\Windows\SysWOW64\Gpejeihi.exe Gljnej32.exe File created C:\Windows\SysWOW64\Ollajp32.exe Odeiibdq.exe File created C:\Windows\SysWOW64\Daekko32.dll Oancnfoe.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gldkfl32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hicodd32.exe File created C:\Windows\SysWOW64\Lojomkdn.exe Llkbap32.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Caknol32.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Ednpej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5472 5396 WerFault.exe 503 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohendqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjjacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeabq32.dll" Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhkbkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odoloalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljiflem.dll" Jghmfhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnelabi.dll" Haiccald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpjqiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagnqken.dll" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll" Nhohda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbldmm32.dll" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lccdel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhlhki32.dll" Kfegbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minceo32.dll" Lojomkdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konojnki.dll" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieipa32.dll" Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpjaq32.dll" Oqcpob32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 3036 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 28 PID 1888 wrote to memory of 3036 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 28 PID 1888 wrote to memory of 3036 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 28 PID 1888 wrote to memory of 3036 1888 bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe 28 PID 3036 wrote to memory of 2692 3036 Globlmmj.exe 29 PID 3036 wrote to memory of 2692 3036 Globlmmj.exe 29 PID 3036 wrote to memory of 2692 3036 Globlmmj.exe 29 PID 3036 wrote to memory of 2692 3036 Globlmmj.exe 29 PID 2692 wrote to memory of 2720 2692 Ghfbqn32.exe 30 PID 2692 wrote to memory of 2720 2692 Ghfbqn32.exe 30 PID 2692 wrote to memory of 2720 2692 Ghfbqn32.exe 30 PID 2692 wrote to memory of 2720 2692 Ghfbqn32.exe 30 PID 2720 wrote to memory of 2564 2720 Glaoalkh.exe 31 PID 2720 wrote to memory of 2564 2720 Glaoalkh.exe 31 PID 2720 wrote to memory of 2564 2720 Glaoalkh.exe 31 PID 2720 wrote to memory of 2564 2720 Glaoalkh.exe 31 PID 2564 wrote to memory of 2408 2564 Gldkfl32.exe 32 PID 2564 wrote to memory of 2408 2564 Gldkfl32.exe 32 PID 2564 wrote to memory of 2408 2564 Gldkfl32.exe 32 PID 2564 wrote to memory of 2408 2564 Gldkfl32.exe 32 PID 2408 wrote to memory of 2064 2408 Gelppaof.exe 33 PID 2408 wrote to memory of 2064 2408 Gelppaof.exe 33 PID 2408 wrote to memory of 2064 2408 Gelppaof.exe 33 PID 2408 wrote to memory of 2064 2408 Gelppaof.exe 33 PID 2064 wrote to memory of 2744 2064 Gmgdddmq.exe 34 PID 2064 wrote to memory of 2744 2064 Gmgdddmq.exe 34 PID 2064 wrote to memory of 2744 2064 Gmgdddmq.exe 34 PID 2064 wrote to memory of 2744 2064 Gmgdddmq.exe 34 PID 2744 wrote to memory of 2928 2744 Ggpimica.exe 35 PID 2744 wrote to memory of 2928 2744 Ggpimica.exe 35 PID 2744 wrote to memory of 2928 2744 Ggpimica.exe 35 PID 2744 wrote to memory of 2928 2744 Ggpimica.exe 35 PID 2928 wrote to memory of 1592 2928 Gddifnbk.exe 36 PID 2928 wrote to memory of 1592 2928 Gddifnbk.exe 36 PID 2928 wrote to memory of 1592 2928 Gddifnbk.exe 36 PID 2928 wrote to memory of 1592 2928 Gddifnbk.exe 36 PID 1592 wrote to memory of 2580 1592 Hknach32.exe 37 PID 1592 wrote to memory of 2580 1592 Hknach32.exe 37 PID 1592 wrote to memory of 2580 1592 Hknach32.exe 37 PID 1592 wrote to memory of 2580 1592 Hknach32.exe 37 PID 2580 wrote to memory of 2688 2580 Hmlnoc32.exe 38 PID 2580 wrote to memory of 2688 2580 Hmlnoc32.exe 38 PID 2580 wrote to memory of 2688 2580 Hmlnoc32.exe 38 PID 2580 wrote to memory of 2688 2580 Hmlnoc32.exe 38 PID 2688 wrote to memory of 616 2688 Hicodd32.exe 39 PID 2688 wrote to memory of 616 2688 Hicodd32.exe 39 PID 2688 wrote to memory of 616 2688 Hicodd32.exe 39 PID 2688 wrote to memory of 616 2688 Hicodd32.exe 39 PID 616 wrote to memory of 840 616 Hpocfncj.exe 40 PID 616 wrote to memory of 840 616 Hpocfncj.exe 40 PID 616 wrote to memory of 840 616 Hpocfncj.exe 40 PID 616 wrote to memory of 840 616 Hpocfncj.exe 40 PID 840 wrote to memory of 2376 840 Hhjhkq32.exe 41 PID 840 wrote to memory of 2376 840 Hhjhkq32.exe 41 PID 840 wrote to memory of 2376 840 Hhjhkq32.exe 41 PID 840 wrote to memory of 2376 840 Hhjhkq32.exe 41 PID 2376 wrote to memory of 1764 2376 Hodpgjha.exe 42 PID 2376 wrote to memory of 1764 2376 Hodpgjha.exe 42 PID 2376 wrote to memory of 1764 2376 Hodpgjha.exe 42 PID 2376 wrote to memory of 1764 2376 Hodpgjha.exe 42 PID 1764 wrote to memory of 2256 1764 Hhmepp32.exe 43 PID 1764 wrote to memory of 2256 1764 Hhmepp32.exe 43 PID 1764 wrote to memory of 2256 1764 Hhmepp32.exe 43 PID 1764 wrote to memory of 2256 1764 Hhmepp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\bd8efdf31b165bcc1696d08578b018c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe26⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe27⤵
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe34⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe35⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe36⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe39⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe40⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe45⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe46⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe47⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe48⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe49⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe51⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe52⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe53⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe56⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe57⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe59⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe60⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe61⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe62⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe65⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe67⤵PID:2860
-
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe68⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe69⤵PID:1620
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe71⤵PID:1468
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe72⤵PID:1740
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe73⤵PID:2128
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe74⤵PID:2148
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe75⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe76⤵PID:1636
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe77⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe78⤵PID:2548
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe79⤵PID:2456
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe80⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe81⤵PID:2912
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe82⤵
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe83⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe84⤵PID:676
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe87⤵PID:1724
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe91⤵
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe92⤵PID:2332
-
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe93⤵PID:2684
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe94⤵PID:2628
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe95⤵PID:2528
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe96⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe97⤵PID:2776
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe98⤵PID:1560
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe99⤵PID:2932
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe100⤵PID:808
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe101⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe102⤵PID:2916
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe103⤵PID:1304
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe104⤵PID:1512
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe105⤵PID:1760
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe106⤵PID:3008
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe108⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe110⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe111⤵PID:2988
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe112⤵PID:2792
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe113⤵PID:556
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe114⤵PID:2968
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe117⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe119⤵PID:2268
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe120⤵PID:2020
-
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe121⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-