Analysis
-
max time kernel
144s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe
-
Size
264KB
-
MD5
e276bb55f81a04900ac62efec787e070
-
SHA1
2d6be6e3a052e77dcbde1ae6b74819d9e3e122eb
-
SHA256
4c9aa8b6a582a467fadd5c333d16ecddf3660d0f50bb2fda57ddd1992a64f424
-
SHA512
db20f72467f5bb2fa1dd6036c41c02e2841ff1b1c09729a2ea016b5bfccf50730bd71c143df61a671b7084ce946f5cf4b50ef1806b065c8511244df207190b70
-
SSDEEP
6144:vCeJksohxd2Quohdbd0zscwIGUKfvUJ43ewmxteZekR+1b/KVC0C:vCDxdzZdxGwsYI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpgmdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labkdack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmikibio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmlcja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahikqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipgbjl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2264 Hdhbam32.exe 2524 Hpocfncj.exe 2532 Hhjhkq32.exe 2408 Hlhaqogk.exe 2128 Idceea32.exe 2884 Ihankokm.exe 1568 Idhopq32.exe 2672 Igihbknb.exe 1012 Imfqjbli.exe 1740 Jofiln32.exe 1588 Jiondcpk.exe 2728 Jfcnngnd.exe 1696 Jcgogk32.exe 2044 Jnqphi32.exe 2108 Kemejc32.exe 2816 Kaceodek.exe 2208 Kgnnln32.exe 1984 Kfbkmk32.exe 2740 Knjbnh32.exe 1744 Kgbggnhc.exe 1488 Kiccofna.exe 1108 Kaklpcoc.exe 1940 Kfgdhjmk.exe 3020 Lpphap32.exe 1976 Lfjqnjkh.exe 1924 Lmcijcbe.exe 1480 Lflmci32.exe 2956 Lbcnhjnj.exe 2580 Leajdfnm.exe 2536 Llkbap32.exe 2640 Lahkigca.exe 2404 Lkppbl32.exe 2440 Lefdpe32.exe 1840 Mggpgmof.exe 2552 Mppepcfg.exe 804 Mihiih32.exe 1776 Mijfnh32.exe 2200 Mlibjc32.exe 2196 Mgnfhlin.exe 2708 Mcegmm32.exe 2732 Meccii32.exe 2232 Nialog32.exe 2056 Nlphkb32.exe 2088 Nondgn32.exe 2332 Ndkmpe32.exe 1596 Nlbeqb32.exe 1292 Nncahjgl.exe 2924 Nejiih32.exe 2276 Nglfapnl.exe 2944 Naajoinb.exe 808 Npdjje32.exe 1620 Nhkbkc32.exe 2784 Njlockkm.exe 2480 Npfgpe32.exe 2620 Ngpolo32.exe 2928 Ojolhk32.exe 2392 Olmhdf32.exe 2964 Oddpfc32.exe 2360 Ojahnj32.exe 2192 Oonafa32.exe 1616 Ojcecjee.exe 1092 Ohfeog32.exe 2760 Obojhlbq.exe 2752 Ojfaijcc.exe -
Loads dropped DLL 64 IoCs
pid Process 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 2264 Hdhbam32.exe 2264 Hdhbam32.exe 2524 Hpocfncj.exe 2524 Hpocfncj.exe 2532 Hhjhkq32.exe 2532 Hhjhkq32.exe 2408 Hlhaqogk.exe 2408 Hlhaqogk.exe 2128 Idceea32.exe 2128 Idceea32.exe 2884 Ihankokm.exe 2884 Ihankokm.exe 1568 Idhopq32.exe 1568 Idhopq32.exe 2672 Igihbknb.exe 2672 Igihbknb.exe 1012 Imfqjbli.exe 1012 Imfqjbli.exe 1740 Jofiln32.exe 1740 Jofiln32.exe 1588 Jiondcpk.exe 1588 Jiondcpk.exe 2728 Jfcnngnd.exe 2728 Jfcnngnd.exe 1696 Jcgogk32.exe 1696 Jcgogk32.exe 2044 Jnqphi32.exe 2044 Jnqphi32.exe 2108 Kemejc32.exe 2108 Kemejc32.exe 2816 Kaceodek.exe 2816 Kaceodek.exe 2208 Kgnnln32.exe 2208 Kgnnln32.exe 1984 Kfbkmk32.exe 1984 Kfbkmk32.exe 2740 Knjbnh32.exe 2740 Knjbnh32.exe 1744 Kgbggnhc.exe 1744 Kgbggnhc.exe 1488 Kiccofna.exe 1488 Kiccofna.exe 1108 Kaklpcoc.exe 1108 Kaklpcoc.exe 1940 Kfgdhjmk.exe 1940 Kfgdhjmk.exe 3020 Lpphap32.exe 3020 Lpphap32.exe 1976 Lfjqnjkh.exe 1976 Lfjqnjkh.exe 1924 Lmcijcbe.exe 1924 Lmcijcbe.exe 1480 Lflmci32.exe 1480 Lflmci32.exe 2956 Lbcnhjnj.exe 2956 Lbcnhjnj.exe 2580 Leajdfnm.exe 2580 Leajdfnm.exe 2536 Llkbap32.exe 2536 Llkbap32.exe 2640 Lahkigca.exe 2640 Lahkigca.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Npfgpe32.exe Njlockkm.exe File created C:\Windows\SysWOW64\Lcoich32.dll Njlockkm.exe File created C:\Windows\SysWOW64\Gdllkhdg.exe Ganpomec.exe File opened for modification C:\Windows\SysWOW64\Kicmdo32.exe Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Aekodi32.exe Abmbhn32.exe File created C:\Windows\SysWOW64\Bpebiecm.dll Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Mponel32.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Obojmk32.dll Hhehek32.exe File created C:\Windows\SysWOW64\Kkjcplpa.exe Kfmjgeaj.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Ndjfeo32.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Imfqjbli.exe File created C:\Windows\SysWOW64\Hbgodfkh.dll Nlbeqb32.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Kckmmp32.dll Aidnohbk.exe File created C:\Windows\SysWOW64\Djmffb32.dll Labkdack.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pjadmnic.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Bplpldoa.dll Bbjbaa32.exe File opened for modification C:\Windows\SysWOW64\Emkaol32.exe Ejmebq32.exe File created C:\Windows\SysWOW64\Hkijpd32.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nlcnda32.exe File created C:\Windows\SysWOW64\Mgnfhlin.exe Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File created C:\Windows\SysWOW64\Aibajhdn.exe Afcenm32.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cddaphkn.exe File created C:\Windows\SysWOW64\Amfidj32.dll Egllae32.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Nejiih32.exe Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Cpnojioo.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Hoogfn32.dll Echfaf32.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Heihnoph.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ioaifhid.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Cclkfdnc.exe Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Kfpgmdog.exe Kkjcplpa.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nialog32.exe File opened for modification C:\Windows\SysWOW64\Afcenm32.exe Alnqqd32.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Dlgldibq.exe File created C:\Windows\SysWOW64\Hoopae32.exe Hlqdei32.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Hapicp32.exe File created C:\Windows\SysWOW64\Jfknbe32.exe Jdgdempa.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Kaceodek.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Llkbap32.exe File created C:\Windows\SysWOW64\Qfahhm32.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Pbefefec.dll Kfmjgeaj.exe File created C:\Windows\SysWOW64\Pelggd32.dll Kkolkk32.exe File created C:\Windows\SysWOW64\Lphhenhc.exe Lmikibio.exe File created C:\Windows\SysWOW64\Hbfcml32.dll Leajdfnm.exe File created C:\Windows\SysWOW64\Gpncej32.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Gpgmpikn.dll Hhckpk32.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hoamgd32.exe File created C:\Windows\SysWOW64\Eekkdc32.dll Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3492 3568 WerFault.exe 308 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaleqmc.dll" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojchmpcd.dll" Jiondcpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlimbcf.dll" Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcblodlj.dll" Jqilooij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdacop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagjnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdkokpa.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgagfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjcplpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhckpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblihc32.dll" Habfipdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlqdei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflomnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklnnaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmol32.dll" Fmpkjkma.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2264 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2264 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2264 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 2264 1928 e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2524 2264 Hdhbam32.exe 29 PID 2264 wrote to memory of 2524 2264 Hdhbam32.exe 29 PID 2264 wrote to memory of 2524 2264 Hdhbam32.exe 29 PID 2264 wrote to memory of 2524 2264 Hdhbam32.exe 29 PID 2524 wrote to memory of 2532 2524 Hpocfncj.exe 30 PID 2524 wrote to memory of 2532 2524 Hpocfncj.exe 30 PID 2524 wrote to memory of 2532 2524 Hpocfncj.exe 30 PID 2524 wrote to memory of 2532 2524 Hpocfncj.exe 30 PID 2532 wrote to memory of 2408 2532 Hhjhkq32.exe 31 PID 2532 wrote to memory of 2408 2532 Hhjhkq32.exe 31 PID 2532 wrote to memory of 2408 2532 Hhjhkq32.exe 31 PID 2532 wrote to memory of 2408 2532 Hhjhkq32.exe 31 PID 2408 wrote to memory of 2128 2408 Hlhaqogk.exe 32 PID 2408 wrote to memory of 2128 2408 Hlhaqogk.exe 32 PID 2408 wrote to memory of 2128 2408 Hlhaqogk.exe 32 PID 2408 wrote to memory of 2128 2408 Hlhaqogk.exe 32 PID 2128 wrote to memory of 2884 2128 Idceea32.exe 33 PID 2128 wrote to memory of 2884 2128 Idceea32.exe 33 PID 2128 wrote to memory of 2884 2128 Idceea32.exe 33 PID 2128 wrote to memory of 2884 2128 Idceea32.exe 33 PID 2884 wrote to memory of 1568 2884 Ihankokm.exe 34 PID 2884 wrote to memory of 1568 2884 Ihankokm.exe 34 PID 2884 wrote to memory of 1568 2884 Ihankokm.exe 34 PID 2884 wrote to memory of 1568 2884 Ihankokm.exe 34 PID 1568 wrote to memory of 2672 1568 Idhopq32.exe 35 PID 1568 wrote to memory of 2672 1568 Idhopq32.exe 35 PID 1568 wrote to memory of 2672 1568 Idhopq32.exe 35 PID 1568 wrote to memory of 2672 1568 Idhopq32.exe 35 PID 2672 wrote to memory of 1012 2672 Igihbknb.exe 36 PID 2672 wrote to memory of 1012 2672 Igihbknb.exe 36 PID 2672 wrote to memory of 1012 2672 Igihbknb.exe 36 PID 2672 wrote to memory of 1012 2672 Igihbknb.exe 36 PID 1012 wrote to memory of 1740 1012 Imfqjbli.exe 37 PID 1012 wrote to memory of 1740 1012 Imfqjbli.exe 37 PID 1012 wrote to memory of 1740 1012 Imfqjbli.exe 37 PID 1012 wrote to memory of 1740 1012 Imfqjbli.exe 37 PID 1740 wrote to memory of 1588 1740 Jofiln32.exe 38 PID 1740 wrote to memory of 1588 1740 Jofiln32.exe 38 PID 1740 wrote to memory of 1588 1740 Jofiln32.exe 38 PID 1740 wrote to memory of 1588 1740 Jofiln32.exe 38 PID 1588 wrote to memory of 2728 1588 Jiondcpk.exe 39 PID 1588 wrote to memory of 2728 1588 Jiondcpk.exe 39 PID 1588 wrote to memory of 2728 1588 Jiondcpk.exe 39 PID 1588 wrote to memory of 2728 1588 Jiondcpk.exe 39 PID 2728 wrote to memory of 1696 2728 Jfcnngnd.exe 40 PID 2728 wrote to memory of 1696 2728 Jfcnngnd.exe 40 PID 2728 wrote to memory of 1696 2728 Jfcnngnd.exe 40 PID 2728 wrote to memory of 1696 2728 Jfcnngnd.exe 40 PID 1696 wrote to memory of 2044 1696 Jcgogk32.exe 41 PID 1696 wrote to memory of 2044 1696 Jcgogk32.exe 41 PID 1696 wrote to memory of 2044 1696 Jcgogk32.exe 41 PID 1696 wrote to memory of 2044 1696 Jcgogk32.exe 41 PID 2044 wrote to memory of 2108 2044 Jnqphi32.exe 42 PID 2044 wrote to memory of 2108 2044 Jnqphi32.exe 42 PID 2044 wrote to memory of 2108 2044 Jnqphi32.exe 42 PID 2044 wrote to memory of 2108 2044 Jnqphi32.exe 42 PID 2108 wrote to memory of 2816 2108 Kemejc32.exe 43 PID 2108 wrote to memory of 2816 2108 Kemejc32.exe 43 PID 2108 wrote to memory of 2816 2108 Kemejc32.exe 43 PID 2108 wrote to memory of 2816 2108 Kemejc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e276bb55f81a04900ac62efec787e070_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe35⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe36⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe37⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe40⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe46⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe49⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe55⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe57⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe60⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe64⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe65⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe66⤵PID:1944
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe67⤵PID:2772
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe68⤵PID:448
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe69⤵PID:2960
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe70⤵PID:1440
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe71⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe72⤵PID:1564
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe73⤵PID:888
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe75⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe76⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe77⤵PID:2724
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe79⤵PID:1844
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe80⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe81⤵PID:2168
-
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe83⤵PID:2696
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe84⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe86⤵PID:1704
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe87⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe88⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe89⤵PID:1500
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe90⤵PID:2624
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe91⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe93⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe94⤵PID:2564
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe95⤵PID:1732
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe96⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe97⤵PID:3056
-
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe98⤵PID:3008
-
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe100⤵PID:2968
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe102⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe105⤵PID:2592
-
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe108⤵PID:2684
-
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe109⤵PID:1516
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe111⤵PID:1116
-
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe112⤵PID:3052
-
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe113⤵PID:2872
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe114⤵PID:580
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe116⤵PID:640
-
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe117⤵PID:2852
-
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe118⤵PID:2520
-
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe119⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-