Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 12:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe
-
Size
124KB
-
MD5
ddd6dc90b239e058ad55ddcc4dcb1840
-
SHA1
97d9db1473494b0de6a86916458f73921023317d
-
SHA256
ecf16fe78d909bd9ae9e78806ea5312501ef376bd7b3d890831d1f2c95cad5cf
-
SHA512
af77fd516c0e936caf8e67cb3aa6dd917a9f722c5e933e15c54b48a7dcfee44ad84b4296ad4e545e0f6670b134e04eabdac73289cfc0f024f3b7990796c2c08c
-
SSDEEP
1536:hoxx7fe6Vile/eOnlWrSXoA0vZjXq+66DFUABABOVLefEjw6YmLsAjqLciEFms11:MvVile2S50vZj6+JB8M6m9jqLsFmsr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdciiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkchmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiaknmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjagko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdqfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edhpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlolnllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obnbpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibmep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplmflde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfacdqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caidaeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcngcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnddg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnkmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljabkeaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakaaepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe -
Executes dropped EXE 64 IoCs
pid Process 3012 Ibckfa32.exe 2756 Iknpkd32.exe 2536 Ikbifcpb.exe 2972 Jcpkpe32.exe 2472 Jgncfcaa.exe 268 Jlklnjoh.exe 652 Jfemlpdf.exe 1772 Jblnaq32.exe 2956 Khiccj32.exe 1580 Kbaglpee.exe 2628 Kgpmjf32.exe 2480 Kgbipf32.exe 2664 Kqknil32.exe 1044 Lmdkcl32.exe 2288 Lbackc32.exe 2268 Lnhdqdnd.exe 1476 Ljabkeaf.exe 432 Mgebdipp.exe 1108 Meicnm32.exe 1516 Mnaggcej.exe 764 Mmfdhojb.exe 852 Medeaaej.exe 2208 Nbhfke32.exe 1636 Nblpfepo.exe 112 Nledoj32.exe 3040 Npgihn32.exe 2604 Oklnff32.exe 2564 Okojkf32.exe 2752 Oehklddp.exe 2720 Oaaifdhb.exe 2444 Pkjmoj32.exe 2416 Plijimee.exe 2944 Pojbkh32.exe 1352 Pdgkco32.exe 1728 Aeidgbaf.exe 2836 Aggpdnpj.exe 1324 Aennba32.exe 1752 Bnfblgca.exe 2020 Bnhoag32.exe 2684 Bpjkiogm.exe 848 Bffpki32.exe 2872 Bfhmqhkd.exe 1844 Bpqain32.exe 1644 Bfkifhib.exe 1576 Cadjgf32.exe 1704 Cjmopkla.exe 1528 Cdecha32.exe 1584 Caidaeak.exe 2408 Cffljlpc.exe 2384 Cheido32.exe 800 Cmbalfem.exe 3036 Dbojdmcd.exe 1876 Diibag32.exe 1296 Dbafjlaa.exe 2864 Dpegcq32.exe 2520 Dhplhc32.exe 2748 Dlndnacm.exe 672 Dakmfh32.exe 2192 Elqaca32.exe 1640 Eeielfhk.exe 1796 Eoajel32.exe 3044 Epbfmd32.exe 2160 Ejkkfjkj.exe 2008 Eccpoo32.exe -
Loads dropped DLL 64 IoCs
pid Process 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 3012 Ibckfa32.exe 3012 Ibckfa32.exe 2756 Iknpkd32.exe 2756 Iknpkd32.exe 2536 Ikbifcpb.exe 2536 Ikbifcpb.exe 2972 Jcpkpe32.exe 2972 Jcpkpe32.exe 2472 Jgncfcaa.exe 2472 Jgncfcaa.exe 268 Jlklnjoh.exe 268 Jlklnjoh.exe 652 Jfemlpdf.exe 652 Jfemlpdf.exe 1772 Jblnaq32.exe 1772 Jblnaq32.exe 2956 Khiccj32.exe 2956 Khiccj32.exe 1580 Kbaglpee.exe 1580 Kbaglpee.exe 2628 Kgpmjf32.exe 2628 Kgpmjf32.exe 2480 Kgbipf32.exe 2480 Kgbipf32.exe 2664 Kqknil32.exe 2664 Kqknil32.exe 1044 Lmdkcl32.exe 1044 Lmdkcl32.exe 2288 Lbackc32.exe 2288 Lbackc32.exe 2268 Lnhdqdnd.exe 2268 Lnhdqdnd.exe 1476 Ljabkeaf.exe 1476 Ljabkeaf.exe 432 Mgebdipp.exe 432 Mgebdipp.exe 1108 Meicnm32.exe 1108 Meicnm32.exe 1516 Mnaggcej.exe 1516 Mnaggcej.exe 764 Mmfdhojb.exe 764 Mmfdhojb.exe 852 Medeaaej.exe 852 Medeaaej.exe 2208 Nbhfke32.exe 2208 Nbhfke32.exe 1636 Nblpfepo.exe 1636 Nblpfepo.exe 112 Nledoj32.exe 112 Nledoj32.exe 3040 Npgihn32.exe 3040 Npgihn32.exe 2604 Oklnff32.exe 2604 Oklnff32.exe 2564 Okojkf32.exe 2564 Okojkf32.exe 2752 Oehklddp.exe 2752 Oehklddp.exe 2720 Oaaifdhb.exe 2720 Oaaifdhb.exe 2444 Pkjmoj32.exe 2444 Pkjmoj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfagemej.exe Jmibmhoj.exe File created C:\Windows\SysWOW64\Ddlfji32.dll Imnbbi32.exe File opened for modification C:\Windows\SysWOW64\Mobomnoq.exe Mbnocipg.exe File opened for modification C:\Windows\SysWOW64\Cfnkmi32.exe Ckhfpp32.exe File opened for modification C:\Windows\SysWOW64\Gbcien32.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Aeidgbaf.exe Pdgkco32.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Llgjaeoj.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Oehgjfhi.exe File created C:\Windows\SysWOW64\Ibmkap32.dll Laodmoep.exe File created C:\Windows\SysWOW64\Nbpghl32.exe Njeccjcd.exe File opened for modification C:\Windows\SysWOW64\Cffljlpc.exe Caidaeak.exe File created C:\Windows\SysWOW64\Naffihgj.dll Dpegcq32.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Hmglajcd.exe File created C:\Windows\SysWOW64\Jimbkh32.exe Jkhejkcq.exe File created C:\Windows\SysWOW64\Obeacl32.exe Obbdml32.exe File created C:\Windows\SysWOW64\Hgeelf32.exe Hnmacpfj.exe File created C:\Windows\SysWOW64\Emdhhdqb.exe Eclcon32.exe File created C:\Windows\SysWOW64\Dknfijae.dll Fefcmehe.exe File created C:\Windows\SysWOW64\Llaqkn32.dll Alaccj32.exe File created C:\Windows\SysWOW64\Pdkhag32.exe Pamlel32.exe File created C:\Windows\SysWOW64\Jhjikp32.dll Laleof32.exe File created C:\Windows\SysWOW64\Ejfmkamg.dll Alaqjaaa.exe File created C:\Windows\SysWOW64\Flhbifkd.dll Haemloni.exe File created C:\Windows\SysWOW64\Pbgefa32.exe Pecelm32.exe File opened for modification C:\Windows\SysWOW64\Qekdpkgj.exe Qkbpgeai.exe File created C:\Windows\SysWOW64\Geddoa32.exe Gjkcod32.exe File created C:\Windows\SysWOW64\Qaipli32.dll Oiljam32.exe File created C:\Windows\SysWOW64\Fdqnkoep.exe Fleifl32.exe File created C:\Windows\SysWOW64\Kfacdqhf.exe Kepgmh32.exe File opened for modification C:\Windows\SysWOW64\Cabaec32.exe Ckiiiine.exe File created C:\Windows\SysWOW64\Hjoiiffo.exe Hagepa32.exe File created C:\Windows\SysWOW64\Higjomhj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Odnobj32.exe Nanfqo32.exe File opened for modification C:\Windows\SysWOW64\Lbhmok32.exe Kecmfg32.exe File created C:\Windows\SysWOW64\Lcpkhoab.dll Fpoolael.exe File created C:\Windows\SysWOW64\Nqpdcc32.exe Nkclkl32.exe File opened for modification C:\Windows\SysWOW64\Clnehado.exe Cfcmlg32.exe File opened for modification C:\Windows\SysWOW64\Oehgjfhi.exe Oiafee32.exe File created C:\Windows\SysWOW64\Glchpp32.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Ifolhann.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe Hnppaill.exe File created C:\Windows\SysWOW64\Jlqogi32.dll Iifghk32.exe File opened for modification C:\Windows\SysWOW64\Aiflpm32.exe Abldccka.exe File created C:\Windows\SysWOW64\Fmcjhdbc.exe Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Mkcplien.exe Makkcc32.exe File opened for modification C:\Windows\SysWOW64\Afbnec32.exe Almihjlj.exe File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe Abpcooea.exe File opened for modification C:\Windows\SysWOW64\Macilmnk.exe Mlfacfpc.exe File created C:\Windows\SysWOW64\Nqmqcmdh.exe Ncipjieo.exe File created C:\Windows\SysWOW64\Bedoacoi.dll Bkqiek32.exe File created C:\Windows\SysWOW64\Lamopnkl.dll Ihqilnig.exe File created C:\Windows\SysWOW64\Dadbdkld.exe Dgknkf32.exe File created C:\Windows\SysWOW64\Okipkm32.dll Gncgbkki.exe File created C:\Windows\SysWOW64\Joekimld.exe Jflgph32.exe File created C:\Windows\SysWOW64\Addfkeid.exe Anjnnk32.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Plmbkd32.exe File created C:\Windows\SysWOW64\Llbconkd.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Lmhbgpia.exe File created C:\Windows\SysWOW64\Cnflae32.exe Ccqhdmbc.exe File created C:\Windows\SysWOW64\Nelgfoke.dll Jfagemej.exe File opened for modification C:\Windows\SysWOW64\Ioeclg32.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Gpeoakhc.exe Fgjkmijh.exe File created C:\Windows\SysWOW64\Komjmk32.exe Kfdfdf32.exe File created C:\Windows\SysWOW64\Fgigil32.exe Fpoolael.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2224 2344 Process not Found 1081 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll" Ooidei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbodjofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkegikfe.dll" Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keclgbfi.dll" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemqa32.dll" Okbapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnekb32.dll" Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddiakkl.dll" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgeelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bemmenhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknfijae.dll" Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgoadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmqjah.dll" Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjoliob.dll" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjcj32.dll" Nanfqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllhoh32.dll" Nkclkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofofolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipkm32.dll" Gncgbkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emgdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihnjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iclbpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjeop32.dll" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbidne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glijnmdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlklnjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqglggcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoaljog.dll" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajpmc32.dll" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofilgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhdpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdiahco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdnlhco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mloiec32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3012 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 3012 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 3012 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 28 PID 3048 wrote to memory of 3012 3048 ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2756 3012 Ibckfa32.exe 29 PID 3012 wrote to memory of 2756 3012 Ibckfa32.exe 29 PID 3012 wrote to memory of 2756 3012 Ibckfa32.exe 29 PID 3012 wrote to memory of 2756 3012 Ibckfa32.exe 29 PID 2756 wrote to memory of 2536 2756 Iknpkd32.exe 30 PID 2756 wrote to memory of 2536 2756 Iknpkd32.exe 30 PID 2756 wrote to memory of 2536 2756 Iknpkd32.exe 30 PID 2756 wrote to memory of 2536 2756 Iknpkd32.exe 30 PID 2536 wrote to memory of 2972 2536 Ikbifcpb.exe 31 PID 2536 wrote to memory of 2972 2536 Ikbifcpb.exe 31 PID 2536 wrote to memory of 2972 2536 Ikbifcpb.exe 31 PID 2536 wrote to memory of 2972 2536 Ikbifcpb.exe 31 PID 2972 wrote to memory of 2472 2972 Jcpkpe32.exe 32 PID 2972 wrote to memory of 2472 2972 Jcpkpe32.exe 32 PID 2972 wrote to memory of 2472 2972 Jcpkpe32.exe 32 PID 2972 wrote to memory of 2472 2972 Jcpkpe32.exe 32 PID 2472 wrote to memory of 268 2472 Jgncfcaa.exe 33 PID 2472 wrote to memory of 268 2472 Jgncfcaa.exe 33 PID 2472 wrote to memory of 268 2472 Jgncfcaa.exe 33 PID 2472 wrote to memory of 268 2472 Jgncfcaa.exe 33 PID 268 wrote to memory of 652 268 Jlklnjoh.exe 34 PID 268 wrote to memory of 652 268 Jlklnjoh.exe 34 PID 268 wrote to memory of 652 268 Jlklnjoh.exe 34 PID 268 wrote to memory of 652 268 Jlklnjoh.exe 34 PID 652 wrote to memory of 1772 652 Jfemlpdf.exe 35 PID 652 wrote to memory of 1772 652 Jfemlpdf.exe 35 PID 652 wrote to memory of 1772 652 Jfemlpdf.exe 35 PID 652 wrote to memory of 1772 652 Jfemlpdf.exe 35 PID 1772 wrote to memory of 2956 1772 Jblnaq32.exe 36 PID 1772 wrote to memory of 2956 1772 Jblnaq32.exe 36 PID 1772 wrote to memory of 2956 1772 Jblnaq32.exe 36 PID 1772 wrote to memory of 2956 1772 Jblnaq32.exe 36 PID 2956 wrote to memory of 1580 2956 Khiccj32.exe 37 PID 2956 wrote to memory of 1580 2956 Khiccj32.exe 37 PID 2956 wrote to memory of 1580 2956 Khiccj32.exe 37 PID 2956 wrote to memory of 1580 2956 Khiccj32.exe 37 PID 1580 wrote to memory of 2628 1580 Kbaglpee.exe 38 PID 1580 wrote to memory of 2628 1580 Kbaglpee.exe 38 PID 1580 wrote to memory of 2628 1580 Kbaglpee.exe 38 PID 1580 wrote to memory of 2628 1580 Kbaglpee.exe 38 PID 2628 wrote to memory of 2480 2628 Kgpmjf32.exe 39 PID 2628 wrote to memory of 2480 2628 Kgpmjf32.exe 39 PID 2628 wrote to memory of 2480 2628 Kgpmjf32.exe 39 PID 2628 wrote to memory of 2480 2628 Kgpmjf32.exe 39 PID 2480 wrote to memory of 2664 2480 Kgbipf32.exe 40 PID 2480 wrote to memory of 2664 2480 Kgbipf32.exe 40 PID 2480 wrote to memory of 2664 2480 Kgbipf32.exe 40 PID 2480 wrote to memory of 2664 2480 Kgbipf32.exe 40 PID 2664 wrote to memory of 1044 2664 Kqknil32.exe 41 PID 2664 wrote to memory of 1044 2664 Kqknil32.exe 41 PID 2664 wrote to memory of 1044 2664 Kqknil32.exe 41 PID 2664 wrote to memory of 1044 2664 Kqknil32.exe 41 PID 1044 wrote to memory of 2288 1044 Lmdkcl32.exe 42 PID 1044 wrote to memory of 2288 1044 Lmdkcl32.exe 42 PID 1044 wrote to memory of 2288 1044 Lmdkcl32.exe 42 PID 1044 wrote to memory of 2288 1044 Lmdkcl32.exe 42 PID 2288 wrote to memory of 2268 2288 Lbackc32.exe 43 PID 2288 wrote to memory of 2268 2288 Lbackc32.exe 43 PID 2288 wrote to memory of 2268 2288 Lbackc32.exe 43 PID 2288 wrote to memory of 2268 2288 Lbackc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ddd6dc90b239e058ad55ddcc4dcb1840_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:432 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe34⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe36⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe37⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe38⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe39⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe40⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe41⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe42⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe43⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe44⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe45⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe46⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe47⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe48⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe50⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe51⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe52⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe53⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe54⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe55⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe59⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe60⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe62⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe63⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe65⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe66⤵PID:1040
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe67⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe68⤵PID:1648
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe69⤵PID:1136
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe73⤵PID:1764
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe74⤵PID:900
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe75⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe76⤵PID:2692
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe77⤵PID:2768
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe78⤵PID:2476
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe79⤵PID:772
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe80⤵PID:1944
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe81⤵PID:2928
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe82⤵PID:1336
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe83⤵PID:2724
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe84⤵PID:2024
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe85⤵PID:2260
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe87⤵PID:1980
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe88⤵PID:1880
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe89⤵PID:912
-
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe90⤵PID:1556
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe91⤵PID:1968
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe92⤵PID:1544
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe94⤵PID:3060
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe95⤵PID:2104
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe96⤵PID:2540
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe97⤵PID:944
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe98⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe99⤵PID:2648
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe100⤵PID:1832
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe101⤵PID:2028
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe102⤵PID:1840
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe103⤵PID:2272
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe104⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe105⤵PID:1316
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe106⤵PID:2908
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe107⤵PID:1736
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe108⤵PID:2152
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2704 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe111⤵PID:2396
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe112⤵PID:1708
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe113⤵PID:2612
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe114⤵PID:1816
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe115⤵PID:696
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe116⤵PID:2876
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe117⤵PID:1912
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe118⤵PID:1780
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe119⤵PID:2344
-
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe121⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-