Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e45f30618740627b19acb8b923255100_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
e45f30618740627b19acb8b923255100_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
e45f30618740627b19acb8b923255100_NeikiAnalytics.exe
-
Size
224KB
-
MD5
e45f30618740627b19acb8b923255100
-
SHA1
59817f8b3c53bfa0cf504c61d30dacc65dc9d4bc
-
SHA256
0f2e83542574bdd688abd7f254c32073c62b0f548e47818d0547f11681d57f96
-
SHA512
676580f66041b76f297848ce3edb337d979ad2b3a7dce3c830c4d63437441d6482afc1c33f01d5e9e8fae8cd717259507777f1018d03172837221ac388b88a43
-
SSDEEP
6144:qbwTobbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQcv:8wIbWGRdA6sQhPbWGRdA6sQc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciepkajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mploiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadobccg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgkocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clfhml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgfqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnkmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfikod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkhak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daipqhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpopddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noohlkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbahpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbbcail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkaeob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibfajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmopa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndlem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Odbeilbg.exe 2652 Ogekpg32.exe 2656 Ooclji32.exe 2728 Pkjmoj32.exe 2424 Pdbahpec.exe 2944 Pnjfae32.exe 1056 Pojbkh32.exe 1960 Pakllc32.exe 2144 Pjfpafmb.exe 952 Qjkjle32.exe 2272 Aipfmane.exe 2708 Abkhkgbb.exe 1656 Akeijlfq.exe 2296 Acqnnndl.exe 1412 Bnhoag32.exe 2040 Bfccei32.exe 1116 Bffpki32.exe 1128 Blchcpko.exe 976 Bncaekhp.exe 2200 Clgbno32.exe 2324 Cebcmdlg.exe 844 Cojhejbh.exe 1180 Cdgpnqpo.exe 2896 Cifelgmd.exe 2912 Dmdnbecj.exe 2568 Dmgkgeah.exe 2692 Dgoopkgh.exe 2724 Dllhhaep.exe 2468 Daipqhdg.exe 2992 Domqjm32.exe 1432 Egjbdo32.exe 2500 Epbfmd32.exe 576 Ekhkjm32.exe 1308 Ejmhkiig.exe 2332 Ejpdai32.exe 2404 Fnipkkdl.exe 2180 Gcjbna32.exe 940 Gqnbhf32.exe 3012 Gaqomeke.exe 2392 Gfmgelil.exe 2248 Hebdfind.exe 2860 Hbfepmmn.exe 2364 Hloiib32.exe 1304 Hibjbgbh.exe 1940 Heikgh32.exe 908 Hnbopmnm.exe 700 Helgmg32.exe 1612 Hndlem32.exe 2132 Iinmfk32.exe 2740 Ibfaopoi.exe 588 Idfnicfl.exe 2676 Iibfajdc.exe 2028 Ieigfk32.exe 2540 Ilcoce32.exe 2644 Iigpli32.exe 2456 Jbpdeogo.exe 2828 Jkkija32.exe 1336 Jdcmbgkj.exe 2348 Jpjngh32.exe 1948 Jkpbdq32.exe 2492 Jdhgnf32.exe 956 Jjdofm32.exe 1520 Kfkpknkq.exe 1036 Kpadhg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 2032 Odbeilbg.exe 2032 Odbeilbg.exe 2652 Ogekpg32.exe 2652 Ogekpg32.exe 2656 Ooclji32.exe 2656 Ooclji32.exe 2728 Pkjmoj32.exe 2728 Pkjmoj32.exe 2424 Pdbahpec.exe 2424 Pdbahpec.exe 2944 Pnjfae32.exe 2944 Pnjfae32.exe 1056 Pojbkh32.exe 1056 Pojbkh32.exe 1960 Pakllc32.exe 1960 Pakllc32.exe 2144 Pjfpafmb.exe 2144 Pjfpafmb.exe 952 Qjkjle32.exe 952 Qjkjle32.exe 2272 Aipfmane.exe 2272 Aipfmane.exe 2708 Abkhkgbb.exe 2708 Abkhkgbb.exe 1656 Akeijlfq.exe 1656 Akeijlfq.exe 2296 Acqnnndl.exe 2296 Acqnnndl.exe 1412 Bnhoag32.exe 1412 Bnhoag32.exe 2040 Bfccei32.exe 2040 Bfccei32.exe 1116 Bffpki32.exe 1116 Bffpki32.exe 1128 Blchcpko.exe 1128 Blchcpko.exe 976 Bncaekhp.exe 976 Bncaekhp.exe 2200 Clgbno32.exe 2200 Clgbno32.exe 2324 Cebcmdlg.exe 2324 Cebcmdlg.exe 844 Cojhejbh.exe 844 Cojhejbh.exe 1180 Cdgpnqpo.exe 1180 Cdgpnqpo.exe 2896 Cifelgmd.exe 2896 Cifelgmd.exe 1512 Dbafjlaa.exe 1512 Dbafjlaa.exe 2568 Dmgkgeah.exe 2568 Dmgkgeah.exe 2692 Dgoopkgh.exe 2692 Dgoopkgh.exe 2724 Dllhhaep.exe 2724 Dllhhaep.exe 2468 Daipqhdg.exe 2468 Daipqhdg.exe 2992 Domqjm32.exe 2992 Domqjm32.exe 1432 Egjbdo32.exe 1432 Egjbdo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chdkak32.dll Ilcoce32.exe File created C:\Windows\SysWOW64\Gpogiglp.exe Gdhfdffl.exe File created C:\Windows\SysWOW64\Lnapncmc.dll Gncgbkki.exe File created C:\Windows\SysWOW64\Elipgofb.exe Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Cqfbjhgf.exe Cgnnab32.exe File created C:\Windows\SysWOW64\Lgjdnbkd.dll Jggoqimd.exe File created C:\Windows\SysWOW64\Jaiiogdj.dll Jnemfa32.exe File opened for modification C:\Windows\SysWOW64\Pjhnqfla.exe Pcnfdl32.exe File created C:\Windows\SysWOW64\Ckhnnjob.dll Hbaaik32.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Ohipla32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Qjmedhoe.dll Nojnql32.exe File created C:\Windows\SysWOW64\Gjlnjmna.dll Dfpcblfp.exe File created C:\Windows\SysWOW64\Qfikod32.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Ogekpg32.exe Odbeilbg.exe File opened for modification C:\Windows\SysWOW64\Mlkjne32.exe Mbbfep32.exe File opened for modification C:\Windows\SysWOW64\Dhmhhmlm.exe Ddpobo32.exe File created C:\Windows\SysWOW64\Nameek32.exe Nlqmmd32.exe File created C:\Windows\SysWOW64\Ebdqhg32.dll Mokkegmm.exe File opened for modification C:\Windows\SysWOW64\Kaggbihl.exe Kfacdqhf.exe File opened for modification C:\Windows\SysWOW64\Gmlablaa.exe Ggbieb32.exe File created C:\Windows\SysWOW64\Iclafh32.dll Pcpbik32.exe File created C:\Windows\SysWOW64\Mpioba32.dll Plgolf32.exe File created C:\Windows\SysWOW64\Kndccd32.dll Fhljkm32.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Kdbepm32.exe File created C:\Windows\SysWOW64\Alaqjaaa.exe Aeghng32.exe File created C:\Windows\SysWOW64\Iomgfhen.dll Flqkjo32.exe File created C:\Windows\SysWOW64\Iahkpg32.exe Illbhp32.exe File created C:\Windows\SysWOW64\Dfngll32.exe Dqaode32.exe File created C:\Windows\SysWOW64\Cdaimdkg.dll Padccpal.exe File opened for modification C:\Windows\SysWOW64\Kigibh32.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Nfdddm32.exe Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Leegbnan.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Lalieb32.dll Kndbko32.exe File created C:\Windows\SysWOW64\Jpdihq32.dll Glbdnbpk.exe File created C:\Windows\SysWOW64\Bmmhbd32.dll Phcpgm32.exe File created C:\Windows\SysWOW64\Aqonbm32.exe Ajeeeblb.exe File opened for modification C:\Windows\SysWOW64\Fhjmfnok.exe Fcmdnfad.exe File created C:\Windows\SysWOW64\Fcpacf32.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Mcohhj32.dll Ldgnklmi.exe File created C:\Windows\SysWOW64\Nbpqmfmd.exe Noohlkpc.exe File created C:\Windows\SysWOW64\Mpmpji32.dll Gaeqmk32.exe File created C:\Windows\SysWOW64\Ohengmcf.exe Ojpaeq32.exe File created C:\Windows\SysWOW64\Nmnaak32.dll Kfkpknkq.exe File created C:\Windows\SysWOW64\Eggndi32.exe Epmfgo32.exe File opened for modification C:\Windows\SysWOW64\Bkhjamcf.exe Akfnkmei.exe File created C:\Windows\SysWOW64\Ppjedf32.dll Ifgklp32.exe File opened for modification C:\Windows\SysWOW64\Nfglfdeb.exe Npkdnnfk.exe File created C:\Windows\SysWOW64\Mgnedp32.dll Embkbdce.exe File created C:\Windows\SysWOW64\Qijdqp32.exe Qcmkhi32.exe File created C:\Windows\SysWOW64\Pkldcj32.dll Pojbkh32.exe File created C:\Windows\SysWOW64\Qimagi32.dll Ieigfk32.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Qcachc32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Lehdhn32.exe Lonlkcho.exe File created C:\Windows\SysWOW64\Lljkif32.exe Ladgkmlj.exe File created C:\Windows\SysWOW64\Chgnneiq.exe Baneak32.exe File opened for modification C:\Windows\SysWOW64\Ladgkmlj.exe Lfkfkopk.exe File created C:\Windows\SysWOW64\Fmanal32.dll Cifelgmd.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mgmahg32.exe File created C:\Windows\SysWOW64\Abmgjo32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Jplagm32.dll Fcmdnfad.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Lfbdci32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkknn32.dll" Fhgppnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll" Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aejglo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnmeelc.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcipgdao.dll" Lljipmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmollme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldbkbop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbaelak.dll" Dpfkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikimeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklqifff.dll" Hnmcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node e45f30618740627b19acb8b923255100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmjbf32.dll" Jjdofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojnql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplkbo32.dll" Pcnfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfoacnc.dll" Pjlgle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdiia32.dll" Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll" Qcmkhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondii32.dll" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaeqmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmdfm32.dll" Gibkmgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihpmnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofjem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlboaceh.dll" Omioekbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmcad32.dll" Lmhbgpia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnjbhgo.dll" Gjjafkpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmpji32.dll" Gaeqmk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2032 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2032 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2032 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2032 1936 e45f30618740627b19acb8b923255100_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2652 2032 Odbeilbg.exe 29 PID 2032 wrote to memory of 2652 2032 Odbeilbg.exe 29 PID 2032 wrote to memory of 2652 2032 Odbeilbg.exe 29 PID 2032 wrote to memory of 2652 2032 Odbeilbg.exe 29 PID 2652 wrote to memory of 2656 2652 Ogekpg32.exe 30 PID 2652 wrote to memory of 2656 2652 Ogekpg32.exe 30 PID 2652 wrote to memory of 2656 2652 Ogekpg32.exe 30 PID 2652 wrote to memory of 2656 2652 Ogekpg32.exe 30 PID 2656 wrote to memory of 2728 2656 Ooclji32.exe 31 PID 2656 wrote to memory of 2728 2656 Ooclji32.exe 31 PID 2656 wrote to memory of 2728 2656 Ooclji32.exe 31 PID 2656 wrote to memory of 2728 2656 Ooclji32.exe 31 PID 2728 wrote to memory of 2424 2728 Pkjmoj32.exe 32 PID 2728 wrote to memory of 2424 2728 Pkjmoj32.exe 32 PID 2728 wrote to memory of 2424 2728 Pkjmoj32.exe 32 PID 2728 wrote to memory of 2424 2728 Pkjmoj32.exe 32 PID 2424 wrote to memory of 2944 2424 Pdbahpec.exe 33 PID 2424 wrote to memory of 2944 2424 Pdbahpec.exe 33 PID 2424 wrote to memory of 2944 2424 Pdbahpec.exe 33 PID 2424 wrote to memory of 2944 2424 Pdbahpec.exe 33 PID 2944 wrote to memory of 1056 2944 Pnjfae32.exe 34 PID 2944 wrote to memory of 1056 2944 Pnjfae32.exe 34 PID 2944 wrote to memory of 1056 2944 Pnjfae32.exe 34 PID 2944 wrote to memory of 1056 2944 Pnjfae32.exe 34 PID 1056 wrote to memory of 1960 1056 Pojbkh32.exe 35 PID 1056 wrote to memory of 1960 1056 Pojbkh32.exe 35 PID 1056 wrote to memory of 1960 1056 Pojbkh32.exe 35 PID 1056 wrote to memory of 1960 1056 Pojbkh32.exe 35 PID 1960 wrote to memory of 2144 1960 Pakllc32.exe 36 PID 1960 wrote to memory of 2144 1960 Pakllc32.exe 36 PID 1960 wrote to memory of 2144 1960 Pakllc32.exe 36 PID 1960 wrote to memory of 2144 1960 Pakllc32.exe 36 PID 2144 wrote to memory of 952 2144 Pjfpafmb.exe 37 PID 2144 wrote to memory of 952 2144 Pjfpafmb.exe 37 PID 2144 wrote to memory of 952 2144 Pjfpafmb.exe 37 PID 2144 wrote to memory of 952 2144 Pjfpafmb.exe 37 PID 952 wrote to memory of 2272 952 Qjkjle32.exe 38 PID 952 wrote to memory of 2272 952 Qjkjle32.exe 38 PID 952 wrote to memory of 2272 952 Qjkjle32.exe 38 PID 952 wrote to memory of 2272 952 Qjkjle32.exe 38 PID 2272 wrote to memory of 2708 2272 Aipfmane.exe 39 PID 2272 wrote to memory of 2708 2272 Aipfmane.exe 39 PID 2272 wrote to memory of 2708 2272 Aipfmane.exe 39 PID 2272 wrote to memory of 2708 2272 Aipfmane.exe 39 PID 2708 wrote to memory of 1656 2708 Abkhkgbb.exe 40 PID 2708 wrote to memory of 1656 2708 Abkhkgbb.exe 40 PID 2708 wrote to memory of 1656 2708 Abkhkgbb.exe 40 PID 2708 wrote to memory of 1656 2708 Abkhkgbb.exe 40 PID 1656 wrote to memory of 2296 1656 Akeijlfq.exe 41 PID 1656 wrote to memory of 2296 1656 Akeijlfq.exe 41 PID 1656 wrote to memory of 2296 1656 Akeijlfq.exe 41 PID 1656 wrote to memory of 2296 1656 Akeijlfq.exe 41 PID 2296 wrote to memory of 1412 2296 Acqnnndl.exe 42 PID 2296 wrote to memory of 1412 2296 Acqnnndl.exe 42 PID 2296 wrote to memory of 1412 2296 Acqnnndl.exe 42 PID 2296 wrote to memory of 1412 2296 Acqnnndl.exe 42 PID 1412 wrote to memory of 2040 1412 Bnhoag32.exe 43 PID 1412 wrote to memory of 2040 1412 Bnhoag32.exe 43 PID 1412 wrote to memory of 2040 1412 Bnhoag32.exe 43 PID 1412 wrote to memory of 2040 1412 Bnhoag32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e45f30618740627b19acb8b923255100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e45f30618740627b19acb8b923255100_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe26⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe27⤵
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe35⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe36⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe37⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe38⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe39⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe40⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe41⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe42⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe43⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe44⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe45⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe46⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe47⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe48⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe49⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe51⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe53⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe59⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe60⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe62⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe63⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe66⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe67⤵PID:2044
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe68⤵PID:3060
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe69⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe70⤵PID:1672
-
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe71⤵PID:1840
-
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe72⤵PID:608
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe73⤵PID:2120
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe74⤵PID:2508
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe76⤵PID:2616
-
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe77⤵PID:1456
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe78⤵PID:1752
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe79⤵PID:2588
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe80⤵PID:964
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe81⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe82⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe83⤵PID:1892
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe85⤵PID:276
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe86⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe87⤵PID:3052
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe88⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe89⤵PID:1288
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe90⤵PID:1796
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe91⤵PID:988
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe92⤵PID:1824
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe93⤵PID:1844
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe94⤵PID:900
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe95⤵PID:1560
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe96⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe97⤵PID:2580
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe98⤵PID:564
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe99⤵PID:308
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe100⤵PID:1880
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe102⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe103⤵PID:1376
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe104⤵PID:2876
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:596 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe106⤵PID:3020
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe107⤵PID:1832
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe108⤵PID:1444
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe109⤵PID:1884
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe110⤵PID:1632
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe111⤵PID:2116
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe112⤵PID:1572
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe113⤵PID:2572
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe114⤵PID:2420
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe117⤵PID:2412
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe118⤵PID:2904
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe119⤵PID:3048
-
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe120⤵PID:1836
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-