Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe
-
Size
67KB
-
MD5
67702883dd22f735a34feb71a8f4d840
-
SHA1
bf8ef23bcef2e5cec76b9d3d6c7e6d7f5dfd0577
-
SHA256
7e7d31eb55d4cf579610888d2c43ac765e4854b4cfd453e14c785fe9391a585d
-
SHA512
411240e5d3e737b6a2490cd7a0720599a2c121155b7ac9c18e2b83f206bb4425f0300690ef61d46f4973f93dd0dae178ac9223255eb411afd5a0ad619fd6f913
-
SSDEEP
1536:C2jucwtXBP+fFqU2Es2vd8vK5Na1cgCe8uC:TucwtV+fFr2A0+NaugCe8uC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcejm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcegin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicalakk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjicfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjihalag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gceailog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mngjeamd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchcpko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmopkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjicfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadimacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhldafl.exe -
Executes dropped EXE 64 IoCs
pid Process 1740 Ndnlnm32.exe 2916 Nadimacd.exe 2668 Omkjbb32.exe 2680 Ogcnkgoh.exe 2520 Ommfga32.exe 2428 Pkjmoj32.exe 2332 Pdbahpec.exe 1656 Pojbkh32.exe 2340 Pqkobqhd.exe 1532 Pakllc32.exe 1128 Pkcpei32.exe 1104 Pcnejk32.exe 1728 Qndigd32.exe 936 Qogbdl32.exe 1112 Aipfmane.exe 592 Amnocpdk.exe 1992 Anolkh32.exe 1468 Aggpdnpj.exe 956 Aekqmbod.exe 784 Agljom32.exe 672 Bmibgd32.exe 1940 Bcegin32.exe 2960 Bjoofhgc.exe 2300 Blchcpko.exe 268 Bekmle32.exe 1704 Bncaekhp.exe 2872 Cpcnonob.exe 1536 Cjmopkla.exe 3040 Cffljlpc.exe 2532 Cakqgeoi.exe 2516 Dpqnhadq.exe 2356 Dbafjlaa.exe 2208 Dljkcb32.exe 2992 Dojddmec.exe 1480 Dedlag32.exe 908 Ekcaonhe.exe 2688 Egahen32.exe 1620 Fgcejm32.exe 1524 Fbmfkkbm.exe 1640 Fbpbpkpj.exe 2716 Fmegncpp.exe 1628 Fnfcel32.exe 2784 Fgohna32.exe 2956 Fdbhge32.exe 2288 Gnkmqkbi.exe 1564 Geeemeif.exe 1200 Gjbmelgm.exe 1944 Gmpjagfa.exe 1044 Gjdjklek.exe 2864 Gjfgqk32.exe 892 Gpcoib32.exe 2264 Gjicfk32.exe 1612 Gbdhjm32.exe 2540 Hinqgg32.exe 2672 Hnkion32.exe 2912 Hipmmg32.exe 2352 Hloiib32.exe 2420 Hnmeen32.exe 2080 Hegnahjo.exe 1972 Hlafnbal.exe 2400 Hbknkl32.exe 1948 Hhhgcc32.exe 2544 Hnbopmnm.exe 1136 Helgmg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 1740 Ndnlnm32.exe 1740 Ndnlnm32.exe 2916 Nadimacd.exe 2916 Nadimacd.exe 2668 Omkjbb32.exe 2668 Omkjbb32.exe 2680 Ogcnkgoh.exe 2680 Ogcnkgoh.exe 2520 Ommfga32.exe 2520 Ommfga32.exe 2428 Pkjmoj32.exe 2428 Pkjmoj32.exe 2332 Pdbahpec.exe 2332 Pdbahpec.exe 1656 Pojbkh32.exe 1656 Pojbkh32.exe 2340 Pqkobqhd.exe 2340 Pqkobqhd.exe 1532 Pakllc32.exe 1532 Pakllc32.exe 1128 Pkcpei32.exe 1128 Pkcpei32.exe 1104 Pcnejk32.exe 1104 Pcnejk32.exe 1728 Qndigd32.exe 1728 Qndigd32.exe 936 Qogbdl32.exe 936 Qogbdl32.exe 1112 Aipfmane.exe 1112 Aipfmane.exe 592 Amnocpdk.exe 592 Amnocpdk.exe 1992 Anolkh32.exe 1992 Anolkh32.exe 1468 Aggpdnpj.exe 1468 Aggpdnpj.exe 956 Aekqmbod.exe 956 Aekqmbod.exe 784 Agljom32.exe 784 Agljom32.exe 672 Bmibgd32.exe 672 Bmibgd32.exe 1940 Bcegin32.exe 1940 Bcegin32.exe 2960 Bjoofhgc.exe 2960 Bjoofhgc.exe 2300 Blchcpko.exe 2300 Blchcpko.exe 268 Bekmle32.exe 268 Bekmle32.exe 1704 Bncaekhp.exe 1704 Bncaekhp.exe 2032 Cikbhc32.exe 2032 Cikbhc32.exe 1536 Cjmopkla.exe 1536 Cjmopkla.exe 3040 Cffljlpc.exe 3040 Cffljlpc.exe 2532 Cakqgeoi.exe 2532 Cakqgeoi.exe 2516 Dpqnhadq.exe 2516 Dpqnhadq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ianmffff.dll Ndnlnm32.exe File created C:\Windows\SysWOW64\Dpqnhadq.exe Cakqgeoi.exe File created C:\Windows\SysWOW64\Libmpn32.dll Ielclkhe.exe File opened for modification C:\Windows\SysWOW64\Jhafhe32.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Kfbfkmeh.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Lgghom32.dll Lokgcf32.exe File created C:\Windows\SysWOW64\Cefhdnca.dll Kgclio32.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Gjbmelgm.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Boljgg32.exe File created C:\Windows\SysWOW64\Opknndcg.dll Qogbdl32.exe File opened for modification C:\Windows\SysWOW64\Amaelomh.exe Afgmodel.exe File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe Lfmbek32.exe File opened for modification C:\Windows\SysWOW64\Fbmfkkbm.exe Fgcejm32.exe File opened for modification C:\Windows\SysWOW64\Clmdmm32.exe Cjlheehe.exe File created C:\Windows\SysWOW64\Mdeobp32.dll Flfpabkp.exe File created C:\Windows\SysWOW64\Cpcnonob.exe Bncaekhp.exe File created C:\Windows\SysWOW64\Fdmfgfng.dll Jhafhe32.exe File created C:\Windows\SysWOW64\Oflpao32.dll Kbigpn32.exe File created C:\Windows\SysWOW64\Gobdahei.dll Klpdaf32.exe File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Bjoofhgc.exe Bcegin32.exe File created C:\Windows\SysWOW64\Cjlheehe.exe Cacclpae.exe File opened for modification C:\Windows\SysWOW64\Doecog32.exe Ddpobo32.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gcgnnlle.exe File created C:\Windows\SysWOW64\Kaajei32.exe Kglehp32.exe File created C:\Windows\SysWOW64\Blchcpko.exe Bjoofhgc.exe File opened for modification C:\Windows\SysWOW64\Gjdjklek.exe Gmpjagfa.exe File created C:\Windows\SysWOW64\Ocaeoe32.dll Ipehmebh.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jckgicnp.exe File created C:\Windows\SysWOW64\Hpdqdddf.dll Jckgicnp.exe File opened for modification C:\Windows\SysWOW64\Jpogbgmi.exe Jjdofm32.exe File opened for modification C:\Windows\SysWOW64\Biolanld.exe Bbeded32.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pepcelel.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bjkhdacm.exe File created C:\Windows\SysWOW64\Qblodoke.dll Ogcnkgoh.exe File opened for modification C:\Windows\SysWOW64\Ifdjeoep.exe Iipiljgf.exe File created C:\Windows\SysWOW64\Mjkgjl32.exe Mpebmc32.exe File created C:\Windows\SysWOW64\Afffenbp.exe Alnalh32.exe File opened for modification C:\Windows\SysWOW64\Kbigpn32.exe Kllnhg32.exe File created C:\Windows\SysWOW64\Bbeded32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Eclbcj32.exe Dkqnoh32.exe File created C:\Windows\SysWOW64\Gkpfmnlb.exe Gceailog.exe File opened for modification C:\Windows\SysWOW64\Bncaekhp.exe Bekmle32.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Fbpbpkpj.exe File created C:\Windows\SysWOW64\Gjdjklek.exe Gmpjagfa.exe File opened for modification C:\Windows\SysWOW64\Akiobk32.exe Ajgbkbjp.exe File created C:\Windows\SysWOW64\Ielclkhe.exe Ipokcdjn.exe File created C:\Windows\SysWOW64\Amcbankf.exe Aggiigmn.exe File created C:\Windows\SysWOW64\Kncaojfb.exe Khghgchk.exe File created C:\Windows\SysWOW64\Djdgic32.exe Calcpm32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Pcnejk32.exe Pkcpei32.exe File created C:\Windows\SysWOW64\Pahoec32.dll Cicalakk.exe File created C:\Windows\SysWOW64\Moanlj32.dll Ehpalp32.exe File created C:\Windows\SysWOW64\Eligcnhi.dll Gceailog.exe File opened for modification C:\Windows\SysWOW64\Mggabaea.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Ldoimh32.exe Ljieppcb.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Anbkipok.exe File opened for modification C:\Windows\SysWOW64\Gcgnnlle.exe Gkpfmnlb.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jioopgef.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Leblqb32.dll Ppnnai32.exe File opened for modification C:\Windows\SysWOW64\Caifjn32.exe Cgaaah32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3992 3836 WerFault.exe 311 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfbfkmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiedpcpm.dll" Aggpdnpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnnefda.dll" Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfgfng.dll" Jhafhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhiomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omkjbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agljom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplfpn32.dll" Fgohna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbfnh32.dll" Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmdnqgj.dll" Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpao32.dll" Kbigpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnocpdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcegin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleohi32.dll" Gnkmqkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpebmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caphpgkj.dll" Ldllgiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijamjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoddn32.dll" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmglf32.dll" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Locjhqpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhblch32.dll" Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapfdgmi.dll" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heapkela.dll" Ljkaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmjbf32.dll" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfihkoal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll" Nhgnaehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkpjmlfb.dll" Jnkakl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1740 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 28 PID 2240 wrote to memory of 1740 2240 67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2916 1740 Ndnlnm32.exe 29 PID 1740 wrote to memory of 2916 1740 Ndnlnm32.exe 29 PID 1740 wrote to memory of 2916 1740 Ndnlnm32.exe 29 PID 1740 wrote to memory of 2916 1740 Ndnlnm32.exe 29 PID 2916 wrote to memory of 2668 2916 Nadimacd.exe 30 PID 2916 wrote to memory of 2668 2916 Nadimacd.exe 30 PID 2916 wrote to memory of 2668 2916 Nadimacd.exe 30 PID 2916 wrote to memory of 2668 2916 Nadimacd.exe 30 PID 2668 wrote to memory of 2680 2668 Omkjbb32.exe 31 PID 2668 wrote to memory of 2680 2668 Omkjbb32.exe 31 PID 2668 wrote to memory of 2680 2668 Omkjbb32.exe 31 PID 2668 wrote to memory of 2680 2668 Omkjbb32.exe 31 PID 2680 wrote to memory of 2520 2680 Ogcnkgoh.exe 32 PID 2680 wrote to memory of 2520 2680 Ogcnkgoh.exe 32 PID 2680 wrote to memory of 2520 2680 Ogcnkgoh.exe 32 PID 2680 wrote to memory of 2520 2680 Ogcnkgoh.exe 32 PID 2520 wrote to memory of 2428 2520 Ommfga32.exe 33 PID 2520 wrote to memory of 2428 2520 Ommfga32.exe 33 PID 2520 wrote to memory of 2428 2520 Ommfga32.exe 33 PID 2520 wrote to memory of 2428 2520 Ommfga32.exe 33 PID 2428 wrote to memory of 2332 2428 Pkjmoj32.exe 34 PID 2428 wrote to memory of 2332 2428 Pkjmoj32.exe 34 PID 2428 wrote to memory of 2332 2428 Pkjmoj32.exe 34 PID 2428 wrote to memory of 2332 2428 Pkjmoj32.exe 34 PID 2332 wrote to memory of 1656 2332 Pdbahpec.exe 35 PID 2332 wrote to memory of 1656 2332 Pdbahpec.exe 35 PID 2332 wrote to memory of 1656 2332 Pdbahpec.exe 35 PID 2332 wrote to memory of 1656 2332 Pdbahpec.exe 35 PID 1656 wrote to memory of 2340 1656 Pojbkh32.exe 36 PID 1656 wrote to memory of 2340 1656 Pojbkh32.exe 36 PID 1656 wrote to memory of 2340 1656 Pojbkh32.exe 36 PID 1656 wrote to memory of 2340 1656 Pojbkh32.exe 36 PID 2340 wrote to memory of 1532 2340 Pqkobqhd.exe 37 PID 2340 wrote to memory of 1532 2340 Pqkobqhd.exe 37 PID 2340 wrote to memory of 1532 2340 Pqkobqhd.exe 37 PID 2340 wrote to memory of 1532 2340 Pqkobqhd.exe 37 PID 1532 wrote to memory of 1128 1532 Pakllc32.exe 38 PID 1532 wrote to memory of 1128 1532 Pakllc32.exe 38 PID 1532 wrote to memory of 1128 1532 Pakllc32.exe 38 PID 1532 wrote to memory of 1128 1532 Pakllc32.exe 38 PID 1128 wrote to memory of 1104 1128 Pkcpei32.exe 39 PID 1128 wrote to memory of 1104 1128 Pkcpei32.exe 39 PID 1128 wrote to memory of 1104 1128 Pkcpei32.exe 39 PID 1128 wrote to memory of 1104 1128 Pkcpei32.exe 39 PID 1104 wrote to memory of 1728 1104 Pcnejk32.exe 40 PID 1104 wrote to memory of 1728 1104 Pcnejk32.exe 40 PID 1104 wrote to memory of 1728 1104 Pcnejk32.exe 40 PID 1104 wrote to memory of 1728 1104 Pcnejk32.exe 40 PID 1728 wrote to memory of 936 1728 Qndigd32.exe 41 PID 1728 wrote to memory of 936 1728 Qndigd32.exe 41 PID 1728 wrote to memory of 936 1728 Qndigd32.exe 41 PID 1728 wrote to memory of 936 1728 Qndigd32.exe 41 PID 936 wrote to memory of 1112 936 Qogbdl32.exe 42 PID 936 wrote to memory of 1112 936 Qogbdl32.exe 42 PID 936 wrote to memory of 1112 936 Qogbdl32.exe 42 PID 936 wrote to memory of 1112 936 Qogbdl32.exe 42 PID 1112 wrote to memory of 592 1112 Aipfmane.exe 43 PID 1112 wrote to memory of 592 1112 Aipfmane.exe 43 PID 1112 wrote to memory of 592 1112 Aipfmane.exe 43 PID 1112 wrote to memory of 592 1112 Aipfmane.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\67702883dd22f735a34feb71a8f4d840_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe28⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe29⤵
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe35⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe36⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe38⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe39⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe41⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe44⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe48⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe55⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe57⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe59⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe60⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe64⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe65⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe67⤵PID:948
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe69⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe70⤵PID:2232
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe71⤵PID:1544
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe73⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe75⤵PID:2008
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe76⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe79⤵PID:2552
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:864 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe84⤵PID:2172
-
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe85⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe86⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe87⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe88⤵PID:628
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe89⤵PID:1960
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe91⤵PID:1548
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe93⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe94⤵
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe95⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe97⤵PID:3024
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe98⤵PID:2432
-
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe99⤵PID:1384
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe101⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe102⤵PID:2184
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe103⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe104⤵PID:1768
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe105⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe106⤵
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe107⤵PID:1476
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe108⤵PID:1956
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe109⤵PID:1652
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe110⤵
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe111⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe112⤵PID:2620
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe113⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe115⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe116⤵PID:636
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe117⤵PID:1168
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe118⤵PID:772
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe119⤵PID:2180
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe120⤵
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe121⤵PID:880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-