Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 12:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
433331c6666a6775686e70d50dd7cf80
-
SHA1
675944c78a1c343e2dc2db61936a543690865834
-
SHA256
585055c40d672e476a2b89d08a6343fce7e175019ff73e99aba0f1b310bc0492
-
SHA512
c6ac1248e1f52f90560d9bdbd09d76dd7776ea5c85a2259176d45d3724cc900cf4de87df9cd90420c59e9474f6237e38af46a274f123de42fbd2b80f4677748b
-
SSDEEP
24576:QJS2Ph2kkkkK4kXkkkkkkkke50+YNpsKv2EvZHp3oW6:QJSlKLXZM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabjem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmjgeaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcefjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfiale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqeicede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcaoajg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbelipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeqbkkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oohqqlei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aigchgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjakmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lphhenhc.exe -
Executes dropped EXE 64 IoCs
pid Process 2988 Nghphaeo.exe 2672 Njkfpl32.exe 2116 Omloag32.exe 2524 Ofdcjm32.exe 2476 Ojkboo32.exe 1744 Pminkk32.exe 1500 Ppmdbe32.exe 2600 Pfflopdh.exe 1084 Pabjem32.exe 2288 Qeqbkkej.exe 1268 Ajbdna32.exe 1952 Apajlhka.exe 2072 Bdhhqk32.exe 2788 Bnpmipql.exe 1320 Ccfhhffh.exe 556 Claifkkf.exe 2224 Dhjgal32.exe 2596 Dkhcmgnl.exe 2948 Dkkpbgli.exe 1932 Dcfdgiid.exe 320 Djbiicon.exe 896 Dfijnd32.exe 2196 Eqonkmdh.exe 2792 Ebpkce32.exe 2932 Epdkli32.exe 2592 Emhlfmgj.exe 2504 Enihne32.exe 2556 Eeempocb.exe 2612 Fjdbnf32.exe 2576 Ffkcbgek.exe 2424 Faagpp32.exe 1588 Fbdqmghm.exe 1652 Fphafl32.exe 2500 Ffbicfoc.exe 2296 Fmlapp32.exe 2472 Gicbeald.exe 2140 Gbkgnfbd.exe 1236 Gobgcg32.exe 1676 Gkihhhnm.exe 2508 Gacpdbej.exe 1208 Gkkemh32.exe 780 Gddifnbk.exe 524 Hmlnoc32.exe 1144 Hcifgjgc.exe 1808 Hnojdcfi.exe 2380 Hggomh32.exe 1504 Hnagjbdf.exe 968 Hobcak32.exe 376 Hgilchkf.exe 1432 Hcplhi32.exe 340 Henidd32.exe 2960 Hkkalk32.exe 3040 Iaeiieeb.exe 2608 Ilknfn32.exe 1540 Igdogl32.exe 2704 Iokfhi32.exe 2436 Iqmcpahh.exe 1884 Iggkllpe.exe 2844 Ikbgmj32.exe 2136 Igihbknb.exe 2484 Ijgdngmf.exe 2292 Idmhkpml.exe 1648 Jjjacf32.exe 3044 Jmhmpb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 2988 Nghphaeo.exe 2988 Nghphaeo.exe 2672 Njkfpl32.exe 2672 Njkfpl32.exe 2116 Omloag32.exe 2116 Omloag32.exe 2524 Ofdcjm32.exe 2524 Ofdcjm32.exe 2476 Ojkboo32.exe 2476 Ojkboo32.exe 1744 Pminkk32.exe 1744 Pminkk32.exe 1500 Ppmdbe32.exe 1500 Ppmdbe32.exe 2600 Pfflopdh.exe 2600 Pfflopdh.exe 1084 Pabjem32.exe 1084 Pabjem32.exe 2288 Qeqbkkej.exe 2288 Qeqbkkej.exe 1268 Ajbdna32.exe 1268 Ajbdna32.exe 1952 Apajlhka.exe 1952 Apajlhka.exe 2072 Bdhhqk32.exe 2072 Bdhhqk32.exe 2788 Bnpmipql.exe 2788 Bnpmipql.exe 1320 Ccfhhffh.exe 1320 Ccfhhffh.exe 556 Claifkkf.exe 556 Claifkkf.exe 2224 Dhjgal32.exe 2224 Dhjgal32.exe 2596 Dkhcmgnl.exe 2596 Dkhcmgnl.exe 2948 Dkkpbgli.exe 2948 Dkkpbgli.exe 1932 Dcfdgiid.exe 1932 Dcfdgiid.exe 320 Djbiicon.exe 320 Djbiicon.exe 896 Dfijnd32.exe 896 Dfijnd32.exe 2196 Eqonkmdh.exe 2196 Eqonkmdh.exe 2792 Ebpkce32.exe 2792 Ebpkce32.exe 2932 Epdkli32.exe 2932 Epdkli32.exe 2592 Emhlfmgj.exe 2592 Emhlfmgj.exe 2504 Enihne32.exe 2504 Enihne32.exe 2556 Eeempocb.exe 2556 Eeempocb.exe 2612 Fjdbnf32.exe 2612 Fjdbnf32.exe 2576 Ffkcbgek.exe 2576 Ffkcbgek.exe 2424 Faagpp32.exe 2424 Faagpp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcgdenbm.dll Nadpgggp.exe File opened for modification C:\Windows\SysWOW64\Fhqbkhch.exe Fbdjbaea.exe File created C:\Windows\SysWOW64\Lpekon32.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jhngjmlo.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Nhaikn32.exe File created C:\Windows\SysWOW64\Biojif32.exe Becnhgmg.exe File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe Eeempocb.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Bbokmqie.exe File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe Ohaeia32.exe File created C:\Windows\SysWOW64\Eeempocb.exe Enihne32.exe File created C:\Windows\SysWOW64\Mdkmeh32.dll Igdogl32.exe File opened for modification C:\Windows\SysWOW64\Gikaio32.exe Gdniqh32.exe File created C:\Windows\SysWOW64\Olliabba.dll Lphhenhc.exe File created C:\Windows\SysWOW64\Oaajloig.dll Mencccop.exe File created C:\Windows\SysWOW64\Ajpjcomh.dll Bmhideol.exe File opened for modification C:\Windows\SysWOW64\Eeempocb.exe Enihne32.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Ganpomec.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Flcnijgi.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Kgcampld.dll Epdkli32.exe File created C:\Windows\SysWOW64\Ibafdk32.dll Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Piekcd32.exe Pbkbgjcc.exe File opened for modification C:\Windows\SysWOW64\Aajbne32.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Nbniiffi.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Ihfhdp32.dll Iccbqh32.exe File opened for modification C:\Windows\SysWOW64\Ohaeia32.exe Oebimf32.exe File created C:\Windows\SysWOW64\Fbdqmghm.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe Heihnoph.exe File created C:\Windows\SysWOW64\Ngdifkpi.exe Nhaikn32.exe File created C:\Windows\SysWOW64\Ifjcng32.dll Nghphaeo.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kkaiqk32.exe File created C:\Windows\SysWOW64\Pjcabmga.exe Pgeefbhm.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Hojgfemq.exe Ghqnjk32.exe File created C:\Windows\SysWOW64\Macalohk.dll Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Fbdqmghm.exe File opened for modification C:\Windows\SysWOW64\Lecgje32.exe Lojomkdn.exe File created C:\Windows\SysWOW64\Lmikibio.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Fbdjbaea.exe File created C:\Windows\SysWOW64\Ilfila32.dll Pckoam32.exe File created C:\Windows\SysWOW64\Pmdoik32.dll Eqonkmdh.exe File created C:\Windows\SysWOW64\Fmmnjfia.dll Ffhpbacb.exe File opened for modification C:\Windows\SysWOW64\Ncmfqkdj.exe Npojdpef.exe File opened for modification C:\Windows\SysWOW64\Jbjochdi.exe Jkpgfn32.exe File created C:\Windows\SysWOW64\Nkemkhcd.dll Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qmfgjh32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Ndhipoob.exe Nplmop32.exe File created C:\Windows\SysWOW64\Icdleb32.dll Oebimf32.exe File created C:\Windows\SysWOW64\Cophek32.dll Achojp32.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Fmlapp32.exe File opened for modification C:\Windows\SysWOW64\Mgnfhlin.exe Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Pmanoifd.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File created C:\Windows\SysWOW64\Nhnijp32.dll Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Lliflp32.exe File created C:\Windows\SysWOW64\Fnhnbb32.exe Fhneehek.exe File opened for modification C:\Windows\SysWOW64\Jfknbe32.exe Jcmafj32.exe File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe Cpceidcn.exe File created C:\Windows\SysWOW64\Pfflopdh.exe Ppmdbe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4472 4428 WerFault.exe 396 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll" Bmeimhdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcabmga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbgnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll" Kkaiqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Leimip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apoooa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfokbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll" Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll" Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laegiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pminkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpqpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kaldcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabgcd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2988 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 28 PID 2748 wrote to memory of 2988 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 28 PID 2748 wrote to memory of 2988 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 28 PID 2748 wrote to memory of 2988 2748 433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe 28 PID 2988 wrote to memory of 2672 2988 Nghphaeo.exe 29 PID 2988 wrote to memory of 2672 2988 Nghphaeo.exe 29 PID 2988 wrote to memory of 2672 2988 Nghphaeo.exe 29 PID 2988 wrote to memory of 2672 2988 Nghphaeo.exe 29 PID 2672 wrote to memory of 2116 2672 Njkfpl32.exe 30 PID 2672 wrote to memory of 2116 2672 Njkfpl32.exe 30 PID 2672 wrote to memory of 2116 2672 Njkfpl32.exe 30 PID 2672 wrote to memory of 2116 2672 Njkfpl32.exe 30 PID 2116 wrote to memory of 2524 2116 Omloag32.exe 31 PID 2116 wrote to memory of 2524 2116 Omloag32.exe 31 PID 2116 wrote to memory of 2524 2116 Omloag32.exe 31 PID 2116 wrote to memory of 2524 2116 Omloag32.exe 31 PID 2524 wrote to memory of 2476 2524 Ofdcjm32.exe 32 PID 2524 wrote to memory of 2476 2524 Ofdcjm32.exe 32 PID 2524 wrote to memory of 2476 2524 Ofdcjm32.exe 32 PID 2524 wrote to memory of 2476 2524 Ofdcjm32.exe 32 PID 2476 wrote to memory of 1744 2476 Ojkboo32.exe 33 PID 2476 wrote to memory of 1744 2476 Ojkboo32.exe 33 PID 2476 wrote to memory of 1744 2476 Ojkboo32.exe 33 PID 2476 wrote to memory of 1744 2476 Ojkboo32.exe 33 PID 1744 wrote to memory of 1500 1744 Pminkk32.exe 34 PID 1744 wrote to memory of 1500 1744 Pminkk32.exe 34 PID 1744 wrote to memory of 1500 1744 Pminkk32.exe 34 PID 1744 wrote to memory of 1500 1744 Pminkk32.exe 34 PID 1500 wrote to memory of 2600 1500 Ppmdbe32.exe 35 PID 1500 wrote to memory of 2600 1500 Ppmdbe32.exe 35 PID 1500 wrote to memory of 2600 1500 Ppmdbe32.exe 35 PID 1500 wrote to memory of 2600 1500 Ppmdbe32.exe 35 PID 2600 wrote to memory of 1084 2600 Pfflopdh.exe 36 PID 2600 wrote to memory of 1084 2600 Pfflopdh.exe 36 PID 2600 wrote to memory of 1084 2600 Pfflopdh.exe 36 PID 2600 wrote to memory of 1084 2600 Pfflopdh.exe 36 PID 1084 wrote to memory of 2288 1084 Pabjem32.exe 37 PID 1084 wrote to memory of 2288 1084 Pabjem32.exe 37 PID 1084 wrote to memory of 2288 1084 Pabjem32.exe 37 PID 1084 wrote to memory of 2288 1084 Pabjem32.exe 37 PID 2288 wrote to memory of 1268 2288 Qeqbkkej.exe 38 PID 2288 wrote to memory of 1268 2288 Qeqbkkej.exe 38 PID 2288 wrote to memory of 1268 2288 Qeqbkkej.exe 38 PID 2288 wrote to memory of 1268 2288 Qeqbkkej.exe 38 PID 1268 wrote to memory of 1952 1268 Ajbdna32.exe 39 PID 1268 wrote to memory of 1952 1268 Ajbdna32.exe 39 PID 1268 wrote to memory of 1952 1268 Ajbdna32.exe 39 PID 1268 wrote to memory of 1952 1268 Ajbdna32.exe 39 PID 1952 wrote to memory of 2072 1952 Apajlhka.exe 40 PID 1952 wrote to memory of 2072 1952 Apajlhka.exe 40 PID 1952 wrote to memory of 2072 1952 Apajlhka.exe 40 PID 1952 wrote to memory of 2072 1952 Apajlhka.exe 40 PID 2072 wrote to memory of 2788 2072 Bdhhqk32.exe 41 PID 2072 wrote to memory of 2788 2072 Bdhhqk32.exe 41 PID 2072 wrote to memory of 2788 2072 Bdhhqk32.exe 41 PID 2072 wrote to memory of 2788 2072 Bdhhqk32.exe 41 PID 2788 wrote to memory of 1320 2788 Bnpmipql.exe 42 PID 2788 wrote to memory of 1320 2788 Bnpmipql.exe 42 PID 2788 wrote to memory of 1320 2788 Bnpmipql.exe 42 PID 2788 wrote to memory of 1320 2788 Bnpmipql.exe 42 PID 1320 wrote to memory of 556 1320 Ccfhhffh.exe 43 PID 1320 wrote to memory of 556 1320 Ccfhhffh.exe 43 PID 1320 wrote to memory of 556 1320 Ccfhhffh.exe 43 PID 1320 wrote to memory of 556 1320 Ccfhhffh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\433331c6666a6775686e70d50dd7cf80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe34⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe35⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe37⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe39⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe40⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe42⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe43⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe44⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe45⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe46⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe47⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe48⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe53⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe55⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe57⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe59⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe60⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe62⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe63⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe64⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe65⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe67⤵PID:2064
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe68⤵PID:1004
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe69⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe70⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe72⤵PID:1248
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe73⤵PID:2212
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe74⤵PID:996
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe77⤵PID:1892
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe78⤵PID:2412
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe79⤵PID:2604
-
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe81⤵PID:1608
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe82⤵PID:2740
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe84⤵PID:2776
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe85⤵PID:588
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe86⤵PID:2512
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe87⤵PID:1184
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe89⤵PID:1244
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe90⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe92⤵PID:1552
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe94⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe95⤵PID:2464
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe96⤵PID:2516
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe97⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe98⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe99⤵PID:2452
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe100⤵PID:852
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe101⤵PID:1420
-
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe102⤵PID:600
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:284 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe104⤵PID:2152
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe106⤵PID:1724
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe107⤵PID:616
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1192 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe109⤵PID:2796
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe111⤵PID:2456
-
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe112⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe113⤵PID:2460
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe115⤵PID:2132
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe116⤵PID:668
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe117⤵PID:1760
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe118⤵PID:1636
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe119⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe120⤵PID:1524
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-