Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 05:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe
-
Size
249KB
-
MD5
33882a921be6f0aa6b5d165b1337f8c0
-
SHA1
e9a4dc49275b5341484c8c09b15ea8df1752af99
-
SHA256
c9ce87a3a3773645975e0e379710ea9aea26c3c59503978d33d24f03bc9814a6
-
SHA512
e8d123ab582c32ae8867675136f9c206469e7d86cf2386054635ec5aae720a28eabf35da1b7185326ce5fc47648c272119884cb2c48358b032a5267fecf05b76
-
SSDEEP
3072:INHA5Ev/9rARp+8Q/etUEdmjRrz3TIUV4BKxAcL5CY2VePI8C3U/XYMJ2okZk:qV390FQWSEdGTBki5CYtI8TAokZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihaldgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglnajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oabplobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklaipbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Booiep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icafgmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkkjeeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlgfqldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idkpganf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnfmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kflcok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lckbkfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejlnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jogjgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejpdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgaoec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbehgabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffohikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehinpnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihbdhepp.exe -
Executes dropped EXE 64 IoCs
pid Process 852 Bmnlbcfg.exe 2500 Bidlgdlk.exe 2480 Cofnjj32.exe 2612 Ckolek32.exe 2352 Cdgpnqpo.exe 3020 Dgjfek32.exe 1512 Dikogf32.exe 2328 Dinklffl.exe 2684 Ekcaonhe.exe 944 Ekfndmfb.exe 2020 Eccpoo32.exe 1036 Ejpdai32.exe 1672 Fffefjmi.exe 1616 Fkhgip32.exe 1208 Fkmqdpce.exe 2916 Gjbmelgm.exe 2144 Gcmoda32.exe 3064 Gbaken32.exe 1884 Hnkion32.exe 2148 Hnmeen32.exe 1872 Hhhgcc32.exe 276 Hjipenda.exe 2760 Iinmfk32.exe 1764 Ilofhffj.exe 2732 Iplnnd32.exe 2720 Jofejpmc.exe 2136 Jckgicnp.exe 2856 Kcmcoblm.exe 2596 Kjihalag.exe 1520 Kpcqnf32.exe 2660 Kljabgnh.exe 2428 Khabghdl.exe 1784 Kgfoie32.exe 880 Lhelbh32.exe 372 Ldllgiek.exe 2424 Lcaiiejc.exe 2688 Ljkaeo32.exe 1824 Liqoflfh.exe 1984 Mjpkqonj.exe 1772 Mfglep32.exe 1608 Mbnljqic.exe 1776 Mpamde32.exe 2940 Mjkndb32.exe 1696 Mhonngce.exe 3056 Necogkbo.exe 1580 Nmnclmoj.exe 1800 Nhdhif32.exe 2836 Nallalep.exe 2912 Njdqka32.exe 1272 Nbpeoc32.exe 2100 Nmejllia.exe 1936 Neqnqofm.exe 2620 Olkfmi32.exe 2860 Oioggmmc.exe 2712 Obgkpb32.exe 2668 Ohcdhi32.exe 2564 Oalhqohl.exe 2796 Oopijc32.exe 2340 Odmabj32.exe 2648 Oaqbln32.exe 3032 Pmgbao32.exe 1480 Pecgea32.exe 952 Pphkbj32.exe 1704 Phcpgm32.exe -
Loads dropped DLL 64 IoCs
pid Process 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 852 Bmnlbcfg.exe 852 Bmnlbcfg.exe 2500 Bidlgdlk.exe 2500 Bidlgdlk.exe 2480 Cofnjj32.exe 2480 Cofnjj32.exe 2612 Ckolek32.exe 2612 Ckolek32.exe 2352 Cdgpnqpo.exe 2352 Cdgpnqpo.exe 3020 Dgjfek32.exe 3020 Dgjfek32.exe 1512 Dikogf32.exe 1512 Dikogf32.exe 2328 Dinklffl.exe 2328 Dinklffl.exe 2684 Ekcaonhe.exe 2684 Ekcaonhe.exe 944 Ekfndmfb.exe 944 Ekfndmfb.exe 2020 Eccpoo32.exe 2020 Eccpoo32.exe 1036 Ejpdai32.exe 1036 Ejpdai32.exe 1672 Fffefjmi.exe 1672 Fffefjmi.exe 1616 Fkhgip32.exe 1616 Fkhgip32.exe 1208 Fkmqdpce.exe 1208 Fkmqdpce.exe 2916 Gjbmelgm.exe 2916 Gjbmelgm.exe 2144 Gcmoda32.exe 2144 Gcmoda32.exe 3064 Gbaken32.exe 3064 Gbaken32.exe 1884 Hnkion32.exe 1884 Hnkion32.exe 2148 Hnmeen32.exe 2148 Hnmeen32.exe 1872 Hhhgcc32.exe 1872 Hhhgcc32.exe 276 Hjipenda.exe 276 Hjipenda.exe 2760 Iinmfk32.exe 2760 Iinmfk32.exe 1764 Ilofhffj.exe 1764 Ilofhffj.exe 2732 Iplnnd32.exe 2732 Iplnnd32.exe 2720 Jofejpmc.exe 2720 Jofejpmc.exe 2136 Jckgicnp.exe 2136 Jckgicnp.exe 2856 Kcmcoblm.exe 2856 Kcmcoblm.exe 2596 Kjihalag.exe 2596 Kjihalag.exe 1520 Kpcqnf32.exe 1520 Kpcqnf32.exe 2660 Kljabgnh.exe 2660 Kljabgnh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebaijflc.dll Eaheeecg.exe File opened for modification C:\Windows\SysWOW64\Lffohikd.exe Lqjfpbmm.exe File opened for modification C:\Windows\SysWOW64\Ohncdp32.exe Oemjbe32.exe File created C:\Windows\SysWOW64\Kplhfo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmfoon32.exe Process not Found File created C:\Windows\SysWOW64\Pobghn32.dll Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Lgbdpena.exe Lgphke32.exe File created C:\Windows\SysWOW64\Oqmfaebe.dll Process not Found File created C:\Windows\SysWOW64\Iinmfk32.exe Hjipenda.exe File created C:\Windows\SysWOW64\Kocmim32.exe Kkgahoel.exe File created C:\Windows\SysWOW64\Bjngbihn.exe Bkhjamcf.exe File created C:\Windows\SysWOW64\Ibpjaagi.exe Imcaijia.exe File created C:\Windows\SysWOW64\Cgfjjigo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gfogneop.exe Fjhgidjk.exe File created C:\Windows\SysWOW64\Ijegeg32.exe Process not Found File created C:\Windows\SysWOW64\Adnomfqc.exe Process not Found File created C:\Windows\SysWOW64\Dpkmhq32.dll Process not Found File created C:\Windows\SysWOW64\Cnhnhd32.dll Nmnojp32.exe File opened for modification C:\Windows\SysWOW64\Ccecheeb.exe Cdqfgh32.exe File created C:\Windows\SysWOW64\Ajnfbp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bmnlbcfg.exe 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Lomdcj32.exe Process not Found File created C:\Windows\SysWOW64\Lmjdia32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Qaqnkafa.exe File opened for modification C:\Windows\SysWOW64\Bcpimq32.exe Ajehnk32.exe File opened for modification C:\Windows\SysWOW64\Hcgmfgfd.exe Hmmdin32.exe File created C:\Windows\SysWOW64\Imjjki32.dll Kimjhnnl.exe File opened for modification C:\Windows\SysWOW64\Fjkgampo.exe Process not Found File created C:\Windows\SysWOW64\Gncgbkki.exe Gieommdc.exe File opened for modification C:\Windows\SysWOW64\Dlepjbmo.exe Ddnhidmm.exe File created C:\Windows\SysWOW64\Nplkhh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eqpfchka.exe Process not Found File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hcgmfgfd.exe File created C:\Windows\SysWOW64\Empphi32.exe Eplood32.exe File created C:\Windows\SysWOW64\Akmbepcb.dll Fjfjcdln.exe File opened for modification C:\Windows\SysWOW64\Agchdfmk.exe Process not Found File created C:\Windows\SysWOW64\Jjejnabb.dll Hkjnenbp.exe File created C:\Windows\SysWOW64\Jofdll32.exe Jpqgkpcl.exe File opened for modification C:\Windows\SysWOW64\Kninog32.exe Kjkehhjf.exe File created C:\Windows\SysWOW64\Nkeaemik.dll Process not Found File created C:\Windows\SysWOW64\Ahjcqcdm.exe Process not Found File created C:\Windows\SysWOW64\Edieng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhfnkqgk.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Oeeikk32.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Ffdilo32.exe Edcqjc32.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Apkihofl.exe File created C:\Windows\SysWOW64\Oemjbe32.exe Nfhmai32.exe File created C:\Windows\SysWOW64\Neqnqofm.exe Nmejllia.exe File created C:\Windows\SysWOW64\Pdnpjc32.dll Emjhmipi.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Ankedf32.exe File created C:\Windows\SysWOW64\Bafkookd.exe Bneancnc.exe File opened for modification C:\Windows\SysWOW64\Iefeaj32.exe Process not Found File created C:\Windows\SysWOW64\Jfffhk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hgjdcghp.exe Process not Found File created C:\Windows\SysWOW64\Pliibcdi.dll Process not Found File created C:\Windows\SysWOW64\Acfmcc32.exe Agolnbok.exe File created C:\Windows\SysWOW64\Cadqllao.dll Pnihneon.exe File created C:\Windows\SysWOW64\Fnpeed32.dll Bkegah32.exe File created C:\Windows\SysWOW64\Anjaagnc.dll Ecogodlk.exe File created C:\Windows\SysWOW64\Cdkkcp32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Fdgbbalc.dll Jpnkep32.exe File opened for modification C:\Windows\SysWOW64\Kkfhglen.exe Kheofahm.exe File created C:\Windows\SysWOW64\Okeceaep.dll Qamjmh32.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pdamhocm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpioe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflimhmp.dll" Pomhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebkdqbc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beofli32.dll" Kjcedj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghgjflof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idgjqook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepbeqa.dll" Pjblcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddqeodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbleodi.dll" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnoiocfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnadcd32.dll" Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkpefi.dll" Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmcjc32.dll" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmkdhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiepfnbn.dll" Kijmbnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Naihdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faconabh.dll" Haejcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgeaoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmbclmp.dll" Bjoohdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfjcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhglop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaqif32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hliieioi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll" Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhcif32.dll" Dnqhkcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cbllph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coglpp32.dll" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inbndm32.dll" Lmfgkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loocanbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekgleob.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhknil32.dll" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjai32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liopnp32.dll" Nhhqfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hembji32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdqfgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hijhhl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 852 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 28 PID 640 wrote to memory of 852 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 28 PID 640 wrote to memory of 852 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 28 PID 640 wrote to memory of 852 640 33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe 28 PID 852 wrote to memory of 2500 852 Bmnlbcfg.exe 29 PID 852 wrote to memory of 2500 852 Bmnlbcfg.exe 29 PID 852 wrote to memory of 2500 852 Bmnlbcfg.exe 29 PID 852 wrote to memory of 2500 852 Bmnlbcfg.exe 29 PID 2500 wrote to memory of 2480 2500 Bidlgdlk.exe 30 PID 2500 wrote to memory of 2480 2500 Bidlgdlk.exe 30 PID 2500 wrote to memory of 2480 2500 Bidlgdlk.exe 30 PID 2500 wrote to memory of 2480 2500 Bidlgdlk.exe 30 PID 2480 wrote to memory of 2612 2480 Cofnjj32.exe 31 PID 2480 wrote to memory of 2612 2480 Cofnjj32.exe 31 PID 2480 wrote to memory of 2612 2480 Cofnjj32.exe 31 PID 2480 wrote to memory of 2612 2480 Cofnjj32.exe 31 PID 2612 wrote to memory of 2352 2612 Ckolek32.exe 32 PID 2612 wrote to memory of 2352 2612 Ckolek32.exe 32 PID 2612 wrote to memory of 2352 2612 Ckolek32.exe 32 PID 2612 wrote to memory of 2352 2612 Ckolek32.exe 32 PID 2352 wrote to memory of 3020 2352 Cdgpnqpo.exe 33 PID 2352 wrote to memory of 3020 2352 Cdgpnqpo.exe 33 PID 2352 wrote to memory of 3020 2352 Cdgpnqpo.exe 33 PID 2352 wrote to memory of 3020 2352 Cdgpnqpo.exe 33 PID 3020 wrote to memory of 1512 3020 Dgjfek32.exe 34 PID 3020 wrote to memory of 1512 3020 Dgjfek32.exe 34 PID 3020 wrote to memory of 1512 3020 Dgjfek32.exe 34 PID 3020 wrote to memory of 1512 3020 Dgjfek32.exe 34 PID 1512 wrote to memory of 2328 1512 Dikogf32.exe 35 PID 1512 wrote to memory of 2328 1512 Dikogf32.exe 35 PID 1512 wrote to memory of 2328 1512 Dikogf32.exe 35 PID 1512 wrote to memory of 2328 1512 Dikogf32.exe 35 PID 2328 wrote to memory of 2684 2328 Dinklffl.exe 36 PID 2328 wrote to memory of 2684 2328 Dinklffl.exe 36 PID 2328 wrote to memory of 2684 2328 Dinklffl.exe 36 PID 2328 wrote to memory of 2684 2328 Dinklffl.exe 36 PID 2684 wrote to memory of 944 2684 Ekcaonhe.exe 37 PID 2684 wrote to memory of 944 2684 Ekcaonhe.exe 37 PID 2684 wrote to memory of 944 2684 Ekcaonhe.exe 37 PID 2684 wrote to memory of 944 2684 Ekcaonhe.exe 37 PID 944 wrote to memory of 2020 944 Ekfndmfb.exe 38 PID 944 wrote to memory of 2020 944 Ekfndmfb.exe 38 PID 944 wrote to memory of 2020 944 Ekfndmfb.exe 38 PID 944 wrote to memory of 2020 944 Ekfndmfb.exe 38 PID 2020 wrote to memory of 1036 2020 Eccpoo32.exe 39 PID 2020 wrote to memory of 1036 2020 Eccpoo32.exe 39 PID 2020 wrote to memory of 1036 2020 Eccpoo32.exe 39 PID 2020 wrote to memory of 1036 2020 Eccpoo32.exe 39 PID 1036 wrote to memory of 1672 1036 Ejpdai32.exe 40 PID 1036 wrote to memory of 1672 1036 Ejpdai32.exe 40 PID 1036 wrote to memory of 1672 1036 Ejpdai32.exe 40 PID 1036 wrote to memory of 1672 1036 Ejpdai32.exe 40 PID 1672 wrote to memory of 1616 1672 Fffefjmi.exe 41 PID 1672 wrote to memory of 1616 1672 Fffefjmi.exe 41 PID 1672 wrote to memory of 1616 1672 Fffefjmi.exe 41 PID 1672 wrote to memory of 1616 1672 Fffefjmi.exe 41 PID 1616 wrote to memory of 1208 1616 Fkhgip32.exe 42 PID 1616 wrote to memory of 1208 1616 Fkhgip32.exe 42 PID 1616 wrote to memory of 1208 1616 Fkhgip32.exe 42 PID 1616 wrote to memory of 1208 1616 Fkhgip32.exe 42 PID 1208 wrote to memory of 2916 1208 Fkmqdpce.exe 43 PID 1208 wrote to memory of 2916 1208 Fkmqdpce.exe 43 PID 1208 wrote to memory of 2916 1208 Fkmqdpce.exe 43 PID 1208 wrote to memory of 2916 1208 Fkmqdpce.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33882a921be6f0aa6b5d165b1337f8c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe33⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe34⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe35⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe36⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe37⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe38⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe39⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe40⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe41⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe42⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe43⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe44⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe45⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe46⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe47⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe48⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe49⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe50⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe51⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe53⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe55⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe57⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe58⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe59⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe60⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe61⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe62⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe63⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe64⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe65⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe66⤵
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe67⤵PID:1304
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe68⤵PID:400
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe69⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe70⤵PID:1956
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe71⤵PID:2764
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe72⤵PID:956
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1080 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe74⤵PID:3036
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe76⤵PID:2472
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe77⤵PID:2652
-
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe78⤵PID:1760
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe79⤵PID:1980
-
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe80⤵PID:2532
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe81⤵PID:2640
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe82⤵PID:888
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe83⤵PID:2184
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe85⤵PID:3016
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe86⤵PID:1144
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe87⤵PID:1804
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe88⤵PID:1888
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe89⤵PID:568
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe90⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe91⤵PID:2324
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe92⤵PID:3024
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe93⤵PID:2580
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe94⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe95⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe96⤵PID:2952
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe97⤵PID:2800
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe98⤵PID:1076
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe99⤵PID:2284
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe100⤵PID:1648
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe101⤵PID:684
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe102⤵PID:600
-
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe103⤵PID:1392
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe104⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe105⤵PID:2256
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe106⤵PID:2316
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe107⤵PID:2936
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe108⤵PID:2636
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe110⤵PID:1996
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe111⤵PID:2568
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe112⤵PID:312
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe113⤵PID:936
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe114⤵PID:2744
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe115⤵PID:2028
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe116⤵PID:1568
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe117⤵PID:1756
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe118⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe119⤵PID:2240
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe120⤵PID:1720
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe121⤵PID:2552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-