Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe
-
Size
96KB
-
MD5
7015634e8fce825eceefbbea753334e0
-
SHA1
62c35a30e1d40ad1ff8e2afb3eaef1492170189d
-
SHA256
8b89631b9328812e1b09d205b513bdff7c9cb4fa52391c7b76bd08f65c9a0098
-
SHA512
ad1fe16dc3796a49972fe0b16e7ce33ad80081260f58291b0012bd34fd2ab963938d1ca3ad7335904f1d30ebcac893bb2e1057f1d2805388c43022575bb0062e
-
SSDEEP
1536:VCwuJZtvzpcevYMVCGtvCpOaxObvchSEFUN+xGst0gkVduV9jojTIvjrH:VCwIzHYMsG5CpOFvPE/Grgwd69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odegpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keikqhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgenhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcahhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnplpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgpkfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnojdcfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfahp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqbgfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmlpigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghhofmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idblbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkaqmeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Infdolgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nleiqhcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmgpkfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqddldcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhqfbebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilhldfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1824 Hjpike32.exe 3000 Holacm32.exe 2596 Hchmdklc.exe 2648 Hkcbhn32.exe 2492 Hamjehqk.exe 2568 Hhgbba32.exe 2516 Hoakolod.exe 2088 Hqbgfd32.exe 2632 Hhioga32.exe 2688 Hkhkcm32.exe 1212 Hqddldcp.exe 2852 Hgolhn32.exe 1524 Inhdehbj.exe 2552 Idblbb32.exe 2328 Ifdiijpe.exe 2424 Inkakhpg.exe 600 Iolmbpfe.exe 640 Iffeoj32.exe 1840 Iidbke32.exe 1180 Iqljlb32.exe 1844 Ifhbdj32.exe 1712 Iigoqe32.exe 1352 Ioagno32.exe 1864 Iclcnnji.exe 692 Infdolgh.exe 1792 Ifmlpigj.exe 1596 Jilhldfn.exe 2932 Joepio32.exe 2284 Jinead32.exe 2704 Jgqemakf.exe 2616 Jklanp32.exe 2592 Jkonco32.exe 2476 Jegble32.exe 2904 Jgenhp32.exe 1396 Jfhocmnk.exe 2672 Jmbgpg32.exe 2848 Jfkkimlh.exe 2788 Jmdcfg32.exe 1988 Kappfeln.exe 1272 Kjhdokbo.exe 3044 Kmgpkfab.exe 1724 Kcahhq32.exe 488 Kbcicmpj.exe 580 Kmimafop.exe 2944 Kbfeimng.exe 344 Kipnfged.exe 1416 Khcnad32.exe 616 Kpjfba32.exe 2212 Komfnnck.exe 2312 Kegnkh32.exe 1992 Kibjkgca.exe 1568 Kjcgco32.exe 2804 Kbkodl32.exe 2664 Kanopipl.exe 2600 Keikqhhe.exe 2000 Lhggmchi.exe 3020 Lkfciogm.exe 1100 Loapim32.exe 2524 Laplei32.exe 2840 Ldnhad32.exe 2864 Lfmdnp32.exe 1820 Lkhpnnej.exe 2056 Lodlom32.exe 1384 Lpeifeca.exe -
Loads dropped DLL 64 IoCs
pid Process 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 1824 Hjpike32.exe 1824 Hjpike32.exe 3000 Holacm32.exe 3000 Holacm32.exe 2596 Hchmdklc.exe 2596 Hchmdklc.exe 2648 Hkcbhn32.exe 2648 Hkcbhn32.exe 2492 Hamjehqk.exe 2492 Hamjehqk.exe 2568 Hhgbba32.exe 2568 Hhgbba32.exe 2516 Hoakolod.exe 2516 Hoakolod.exe 2088 Hqbgfd32.exe 2088 Hqbgfd32.exe 2632 Hhioga32.exe 2632 Hhioga32.exe 2688 Hkhkcm32.exe 2688 Hkhkcm32.exe 1212 Hqddldcp.exe 1212 Hqddldcp.exe 2852 Hgolhn32.exe 2852 Hgolhn32.exe 1524 Inhdehbj.exe 1524 Inhdehbj.exe 2552 Idblbb32.exe 2552 Idblbb32.exe 2328 Ifdiijpe.exe 2328 Ifdiijpe.exe 2424 Inkakhpg.exe 2424 Inkakhpg.exe 600 Iolmbpfe.exe 600 Iolmbpfe.exe 640 Iffeoj32.exe 640 Iffeoj32.exe 1840 Iidbke32.exe 1840 Iidbke32.exe 1180 Iqljlb32.exe 1180 Iqljlb32.exe 1844 Ifhbdj32.exe 1844 Ifhbdj32.exe 1712 Iigoqe32.exe 1712 Iigoqe32.exe 1352 Ioagno32.exe 1352 Ioagno32.exe 1864 Iclcnnji.exe 1864 Iclcnnji.exe 692 Infdolgh.exe 692 Infdolgh.exe 1792 Ifmlpigj.exe 1792 Ifmlpigj.exe 1596 Jilhldfn.exe 1596 Jilhldfn.exe 2932 Joepio32.exe 2932 Joepio32.exe 2284 Jinead32.exe 2284 Jinead32.exe 2704 Jgqemakf.exe 2704 Jgqemakf.exe 2616 Jklanp32.exe 2616 Jklanp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mpjoqhah.exe Magnek32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Pbkpna32.exe Ppmdbe32.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Filldb32.exe Ffnphf32.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File opened for modification C:\Windows\SysWOW64\Nnplpl32.exe Njdpomfe.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pcfcmd32.exe File created C:\Windows\SysWOW64\Hhgbba32.exe Hamjehqk.exe File created C:\Windows\SysWOW64\Mqeihfll.dll Njiijlbp.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hdhbam32.exe File created C:\Windows\SysWOW64\Ajlgdf32.dll Kanopipl.exe File created C:\Windows\SysWOW64\Gmfmen32.dll Mhlmgf32.exe File created C:\Windows\SysWOW64\Mhlmgf32.exe Menakj32.exe File created C:\Windows\SysWOW64\Onphoo32.exe Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Beehencq.exe Bbflib32.exe File opened for modification C:\Windows\SysWOW64\Idblbb32.exe Inhdehbj.exe File created C:\Windows\SysWOW64\Nqhenocn.dll Kegnkh32.exe File created C:\Windows\SysWOW64\Lhggmchi.exe Keikqhhe.exe File opened for modification C:\Windows\SysWOW64\Lpgele32.exe Ladeqhjd.exe File created C:\Windows\SysWOW64\Ogjimd32.exe Onbddoog.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pminkk32.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Npfpmgon.dll Kmimafop.exe File opened for modification C:\Windows\SysWOW64\Kpjfba32.exe Khcnad32.exe File created C:\Windows\SysWOW64\Mnieom32.exe Mofecpnl.exe File created C:\Windows\SysWOW64\Kedlancd.dll Ohqbqhde.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Inhdehbj.exe Hgolhn32.exe File opened for modification C:\Windows\SysWOW64\Jmbgpg32.exe Jfhocmnk.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Phjelg32.exe File created C:\Windows\SysWOW64\Dafebj32.dll Lhggmchi.exe File opened for modification C:\Windows\SysWOW64\Ncjgbcoi.exe Ndgggf32.exe File opened for modification C:\Windows\SysWOW64\Mdejaf32.exe Mpjoqhah.exe File created C:\Windows\SysWOW64\Peegic32.dll Mhqfbebj.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Eiomkn32.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File created C:\Windows\SysWOW64\Ppqqbdml.dll Mabejlob.exe File opened for modification C:\Windows\SysWOW64\Mhnjle32.exe Mdcnlglc.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Iidbke32.exe Iffeoj32.exe File created C:\Windows\SysWOW64\Pelipl32.exe Pfiidobe.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Nbdnoo32.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Nhnfkigh.exe File created C:\Windows\SysWOW64\Gafpmhio.dll Kibjkgca.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File created C:\Windows\SysWOW64\Aiifgf32.dll Inkakhpg.exe File created C:\Windows\SysWOW64\Jgenhp32.exe Jegble32.exe File opened for modification C:\Windows\SysWOW64\Lhggmchi.exe Keikqhhe.exe File created C:\Windows\SysWOW64\Mkobnqan.exe Mhqfbebj.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Dnljjj32.dll Hkhkcm32.exe File created C:\Windows\SysWOW64\Jfkkimlh.exe Jmbgpg32.exe File created C:\Windows\SysWOW64\Gkhqdcam.dll Ofbfdmeb.exe File created C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Aplpai32.exe Aajpelhl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4672 4656 WerFault.exe 413 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldnhad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhaaje.dll" Mochnppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opanhd32.dll" Bhcdaibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjhdo32.dll" Qbbfopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qljkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcehqcli.dll" Lhlqhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bokphdld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmchlpl.dll" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfiidobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joepio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obneof32.dll" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdoqc32.dll" Pjmodopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmcoja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hchmdklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcmhiojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppmdbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odegpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dflkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdqmghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Ihoafpmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 952 wrote to memory of 1824 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 28 PID 952 wrote to memory of 1824 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 28 PID 952 wrote to memory of 1824 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 28 PID 952 wrote to memory of 1824 952 7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe 28 PID 1824 wrote to memory of 3000 1824 Hjpike32.exe 29 PID 1824 wrote to memory of 3000 1824 Hjpike32.exe 29 PID 1824 wrote to memory of 3000 1824 Hjpike32.exe 29 PID 1824 wrote to memory of 3000 1824 Hjpike32.exe 29 PID 3000 wrote to memory of 2596 3000 Holacm32.exe 30 PID 3000 wrote to memory of 2596 3000 Holacm32.exe 30 PID 3000 wrote to memory of 2596 3000 Holacm32.exe 30 PID 3000 wrote to memory of 2596 3000 Holacm32.exe 30 PID 2596 wrote to memory of 2648 2596 Hchmdklc.exe 31 PID 2596 wrote to memory of 2648 2596 Hchmdklc.exe 31 PID 2596 wrote to memory of 2648 2596 Hchmdklc.exe 31 PID 2596 wrote to memory of 2648 2596 Hchmdklc.exe 31 PID 2648 wrote to memory of 2492 2648 Hkcbhn32.exe 32 PID 2648 wrote to memory of 2492 2648 Hkcbhn32.exe 32 PID 2648 wrote to memory of 2492 2648 Hkcbhn32.exe 32 PID 2648 wrote to memory of 2492 2648 Hkcbhn32.exe 32 PID 2492 wrote to memory of 2568 2492 Hamjehqk.exe 33 PID 2492 wrote to memory of 2568 2492 Hamjehqk.exe 33 PID 2492 wrote to memory of 2568 2492 Hamjehqk.exe 33 PID 2492 wrote to memory of 2568 2492 Hamjehqk.exe 33 PID 2568 wrote to memory of 2516 2568 Hhgbba32.exe 34 PID 2568 wrote to memory of 2516 2568 Hhgbba32.exe 34 PID 2568 wrote to memory of 2516 2568 Hhgbba32.exe 34 PID 2568 wrote to memory of 2516 2568 Hhgbba32.exe 34 PID 2516 wrote to memory of 2088 2516 Hoakolod.exe 35 PID 2516 wrote to memory of 2088 2516 Hoakolod.exe 35 PID 2516 wrote to memory of 2088 2516 Hoakolod.exe 35 PID 2516 wrote to memory of 2088 2516 Hoakolod.exe 35 PID 2088 wrote to memory of 2632 2088 Hqbgfd32.exe 36 PID 2088 wrote to memory of 2632 2088 Hqbgfd32.exe 36 PID 2088 wrote to memory of 2632 2088 Hqbgfd32.exe 36 PID 2088 wrote to memory of 2632 2088 Hqbgfd32.exe 36 PID 2632 wrote to memory of 2688 2632 Hhioga32.exe 37 PID 2632 wrote to memory of 2688 2632 Hhioga32.exe 37 PID 2632 wrote to memory of 2688 2632 Hhioga32.exe 37 PID 2632 wrote to memory of 2688 2632 Hhioga32.exe 37 PID 2688 wrote to memory of 1212 2688 Hkhkcm32.exe 38 PID 2688 wrote to memory of 1212 2688 Hkhkcm32.exe 38 PID 2688 wrote to memory of 1212 2688 Hkhkcm32.exe 38 PID 2688 wrote to memory of 1212 2688 Hkhkcm32.exe 38 PID 1212 wrote to memory of 2852 1212 Hqddldcp.exe 39 PID 1212 wrote to memory of 2852 1212 Hqddldcp.exe 39 PID 1212 wrote to memory of 2852 1212 Hqddldcp.exe 39 PID 1212 wrote to memory of 2852 1212 Hqddldcp.exe 39 PID 2852 wrote to memory of 1524 2852 Hgolhn32.exe 40 PID 2852 wrote to memory of 1524 2852 Hgolhn32.exe 40 PID 2852 wrote to memory of 1524 2852 Hgolhn32.exe 40 PID 2852 wrote to memory of 1524 2852 Hgolhn32.exe 40 PID 1524 wrote to memory of 2552 1524 Inhdehbj.exe 41 PID 1524 wrote to memory of 2552 1524 Inhdehbj.exe 41 PID 1524 wrote to memory of 2552 1524 Inhdehbj.exe 41 PID 1524 wrote to memory of 2552 1524 Inhdehbj.exe 41 PID 2552 wrote to memory of 2328 2552 Idblbb32.exe 42 PID 2552 wrote to memory of 2328 2552 Idblbb32.exe 42 PID 2552 wrote to memory of 2328 2552 Idblbb32.exe 42 PID 2552 wrote to memory of 2328 2552 Idblbb32.exe 42 PID 2328 wrote to memory of 2424 2328 Ifdiijpe.exe 43 PID 2328 wrote to memory of 2424 2328 Ifdiijpe.exe 43 PID 2328 wrote to memory of 2424 2328 Ifdiijpe.exe 43 PID 2328 wrote to memory of 2424 2328 Ifdiijpe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7015634e8fce825eceefbbea753334e0_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Hkcbhn32.exeC:\Windows\system32\Hkcbhn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:600 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe33⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe38⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe39⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe40⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe41⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe44⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe46⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe47⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe49⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe50⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe53⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe54⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe58⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe59⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe60⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe62⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe64⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe65⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe66⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe67⤵PID:1492
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe68⤵PID:412
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe70⤵PID:1848
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe73⤵PID:1896
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe74⤵PID:2644
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe75⤵PID:2940
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe76⤵PID:2456
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe77⤵PID:2340
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe78⤵PID:320
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe79⤵PID:1456
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe80⤵PID:2544
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe82⤵PID:856
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe83⤵PID:1004
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe84⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe86⤵PID:1232
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe87⤵
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe88⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe89⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe90⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe91⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe92⤵PID:2500
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe93⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe94⤵PID:2880
-
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe95⤵PID:1592
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe96⤵PID:2316
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe97⤵
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe99⤵PID:2964
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe101⤵PID:2332
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe102⤵PID:332
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe103⤵PID:1604
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe104⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe105⤵PID:2692
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe108⤵PID:1688
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe109⤵PID:2640
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe110⤵PID:2296
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe112⤵PID:1528
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1580 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe114⤵PID:2136
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe115⤵PID:1080
-
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe116⤵PID:2808
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe117⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe118⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe119⤵PID:2684
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe120⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe121⤵
- Drops file in System32 directory
PID:112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-