Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 08:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe
-
Size
226KB
-
MD5
1277fc653ea677bc15bacca2b479f650
-
SHA1
ff980a6923f54204df6384dbd38578328716f353
-
SHA256
48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670
-
SHA512
1efdd27ef2263cd179e735112b47fac2c7738bb332543c71bf7704873056412d9e1b7e9f609a4e06c35eec6eac6f05cb855675b0de8e09d9f0660f3c5703e617
-
SSDEEP
6144:Z0j7BNjXfxqySSKpRmSKeTk7eT5ABrnL8MdYg:w55IKrEAlnLAg
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flabbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjdkdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfgmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kappfeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kappfeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lganiohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nccjhafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkhpnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibapoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pipopl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1980 Ifdiijpe.exe 2612 Ichico32.exe 2560 Iqljlb32.exe 2728 Ifhbdj32.exe 2744 Iclcnnji.exe 2624 Iiikfehq.exe 1596 Ibapoj32.exe 2640 Jgnhga32.exe 852 Jagmpg32.exe 1764 Jklanp32.exe 2416 Jaiiff32.exe 2384 Jjanolhg.exe 2028 Jegble32.exe 2644 Jjdkdl32.exe 1728 Jfkkimlh.exe 2892 Kappfeln.exe 2824 Kjhdokbo.exe 288 Kpemgbqf.exe 2328 Kfoedl32.exe 308 Kebepion.exe 1664 Knjiin32.exe 1820 Kfaajlfp.exe 892 Komfnnck.exe 3004 Kbhbom32.exe 1408 Klqfhbbe.exe 2636 Koocdnai.exe 2656 Kdlkld32.exe 2788 Lmdpejfq.exe 2872 Lkhpnnej.exe 2376 Lmgmjjdn.exe 2520 Lgoacojo.exe 2272 Limmokib.exe 2684 Lbfahp32.exe 1340 Lganiohl.exe 1176 Lmkfei32.exe 348 Lgdjnofi.exe 1352 Libgjj32.exe 2036 Mcjkcplm.exe 2932 Mhgclfje.exe 2152 Mpolmdkg.exe 320 Mhjpaf32.exe 688 Mkhmma32.exe 2224 Mcodno32.exe 832 Menakj32.exe 1856 Mhlmgf32.exe 1692 Mofecpnl.exe 1892 Mnieom32.exe 860 Mepnpj32.exe 940 Mhnjle32.exe 2316 Mkmfhacp.exe 2584 Magnek32.exe 1648 Mdejaf32.exe 2476 Mgcgmb32.exe 2132 Njbcim32.exe 2428 Naikkk32.exe 2968 Ncjgbcoi.exe 2700 Ngfcca32.exe 1772 Njdpomfe.exe 836 Nlblkhei.exe 840 Ndjdlffl.exe 2760 Nghphaeo.exe 1884 Nnbhek32.exe 488 Nqqdag32.exe 948 Nocemcbj.exe -
Loads dropped DLL 64 IoCs
pid Process 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 1980 Ifdiijpe.exe 1980 Ifdiijpe.exe 2612 Ichico32.exe 2612 Ichico32.exe 2560 Iqljlb32.exe 2560 Iqljlb32.exe 2728 Ifhbdj32.exe 2728 Ifhbdj32.exe 2744 Iclcnnji.exe 2744 Iclcnnji.exe 2624 Iiikfehq.exe 2624 Iiikfehq.exe 1596 Ibapoj32.exe 1596 Ibapoj32.exe 2640 Jgnhga32.exe 2640 Jgnhga32.exe 852 Jagmpg32.exe 852 Jagmpg32.exe 1764 Jklanp32.exe 1764 Jklanp32.exe 2416 Jaiiff32.exe 2416 Jaiiff32.exe 2384 Jjanolhg.exe 2384 Jjanolhg.exe 2028 Jegble32.exe 2028 Jegble32.exe 2644 Jjdkdl32.exe 2644 Jjdkdl32.exe 1728 Jfkkimlh.exe 1728 Jfkkimlh.exe 2892 Kappfeln.exe 2892 Kappfeln.exe 2824 Kjhdokbo.exe 2824 Kjhdokbo.exe 288 Kpemgbqf.exe 288 Kpemgbqf.exe 2328 Kfoedl32.exe 2328 Kfoedl32.exe 308 Kebepion.exe 308 Kebepion.exe 1664 Knjiin32.exe 1664 Knjiin32.exe 1820 Kfaajlfp.exe 1820 Kfaajlfp.exe 892 Komfnnck.exe 892 Komfnnck.exe 3004 Kbhbom32.exe 3004 Kbhbom32.exe 1408 Klqfhbbe.exe 1408 Klqfhbbe.exe 2636 Koocdnai.exe 2636 Koocdnai.exe 2656 Kdlkld32.exe 2656 Kdlkld32.exe 2788 Lmdpejfq.exe 2788 Lmdpejfq.exe 2872 Lkhpnnej.exe 2872 Lkhpnnej.exe 2376 Lmgmjjdn.exe 2376 Lmgmjjdn.exe 2520 Lgoacojo.exe 2520 Lgoacojo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Omgaek32.exe Ojieip32.exe File created C:\Windows\SysWOW64\Ojkboo32.exe Ofpfnqjp.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Nbdnoo32.exe File opened for modification C:\Windows\SysWOW64\Hknach32.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Ddagfm32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Okalbc32.exe Odgcfijj.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Aajpelhl.exe File opened for modification C:\Windows\SysWOW64\Kfaajlfp.exe Knjiin32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Odgcfijj.exe Onmkio32.exe File opened for modification C:\Windows\SysWOW64\Okfencna.exe Ocomlemo.exe File created C:\Windows\SysWOW64\Amejeljk.exe Admemg32.exe File created C:\Windows\SysWOW64\Addnil32.dll Gegfdb32.exe File created C:\Windows\SysWOW64\Qhbpij32.dll Glfhll32.exe File created C:\Windows\SysWOW64\Nkmbgdfl.exe Nhnfkigh.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Afmonbqk.exe File opened for modification C:\Windows\SysWOW64\Ofpfnqjp.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Klqfhbbe.exe Kbhbom32.exe File created C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Jjanolhg.exe Jaiiff32.exe File created C:\Windows\SysWOW64\Pphjgfqq.exe Paejki32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Mpefbknb.dll Baqbenep.exe File created C:\Windows\SysWOW64\Jjdkdl32.exe Jegble32.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File opened for modification C:\Windows\SysWOW64\Apomfh32.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Nhlifi32.exe Nfmmin32.exe File opened for modification C:\Windows\SysWOW64\Pgobhcac.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cphlljge.exe File created C:\Windows\SysWOW64\Hkfeblka.dll Mhgclfje.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Obopfpji.dll Paejki32.exe File created C:\Windows\SysWOW64\Bebkpn32.exe Boiccdnf.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Midahn32.dll Eeempocb.exe File created C:\Windows\SysWOW64\Fjecjlhb.dll Knjiin32.exe File created C:\Windows\SysWOW64\Lmkfei32.exe Lganiohl.exe File created C:\Windows\SysWOW64\Qhegaocb.dll Mpolmdkg.exe File created C:\Windows\SysWOW64\Moealbej.dll Qhooggdn.exe File created C:\Windows\SysWOW64\Lgeceh32.dll Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Epfhbign.exe File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File created C:\Windows\SysWOW64\Iqljlb32.exe Ichico32.exe File created C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Pjpkjond.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Chcqpmep.exe File created C:\Windows\SysWOW64\Hmhfjo32.dll Glaoalkh.exe File created C:\Windows\SysWOW64\Ajklhn32.dll Iqljlb32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Emeopn32.exe File created C:\Windows\SysWOW64\Ampqjm32.exe Aiedjneg.exe File opened for modification C:\Windows\SysWOW64\Fjlhneio.exe Fdapak32.exe File created C:\Windows\SysWOW64\Globlmmj.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Enihmc32.dll Lmkfei32.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Chcphm32.dll Eilpeooq.exe File opened for modification C:\Windows\SysWOW64\Mhjpaf32.exe Mpolmdkg.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Ichico32.exe Ifdiijpe.exe File opened for modification C:\Windows\SysWOW64\Bdooajdc.exe Baqbenep.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3656 3604 WerFault.exe 302 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngmeo32.dll" Mdejaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leajegob.dll" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khneoedc.dll" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfekqdn.dll" Mofecpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdclk32.dll" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbpodagk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcoccqf.dll" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medfkpfc.dll" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbcmlc.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofbfdmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jklanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphcda32.dll" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkhmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkajj32.dll" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kebepion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iclcnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoneabg.dll" Bhcdaibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeadcbc.dll" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnaid32.dll" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqljlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higdqfol.dll" Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdamlbjc.dll" Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocomlemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbkcj32.dll" Pndniaop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 1980 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 28 PID 1860 wrote to memory of 1980 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 28 PID 1860 wrote to memory of 1980 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 28 PID 1860 wrote to memory of 1980 1860 48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe 28 PID 1980 wrote to memory of 2612 1980 Ifdiijpe.exe 29 PID 1980 wrote to memory of 2612 1980 Ifdiijpe.exe 29 PID 1980 wrote to memory of 2612 1980 Ifdiijpe.exe 29 PID 1980 wrote to memory of 2612 1980 Ifdiijpe.exe 29 PID 2612 wrote to memory of 2560 2612 Ichico32.exe 30 PID 2612 wrote to memory of 2560 2612 Ichico32.exe 30 PID 2612 wrote to memory of 2560 2612 Ichico32.exe 30 PID 2612 wrote to memory of 2560 2612 Ichico32.exe 30 PID 2560 wrote to memory of 2728 2560 Iqljlb32.exe 31 PID 2560 wrote to memory of 2728 2560 Iqljlb32.exe 31 PID 2560 wrote to memory of 2728 2560 Iqljlb32.exe 31 PID 2560 wrote to memory of 2728 2560 Iqljlb32.exe 31 PID 2728 wrote to memory of 2744 2728 Ifhbdj32.exe 32 PID 2728 wrote to memory of 2744 2728 Ifhbdj32.exe 32 PID 2728 wrote to memory of 2744 2728 Ifhbdj32.exe 32 PID 2728 wrote to memory of 2744 2728 Ifhbdj32.exe 32 PID 2744 wrote to memory of 2624 2744 Iclcnnji.exe 33 PID 2744 wrote to memory of 2624 2744 Iclcnnji.exe 33 PID 2744 wrote to memory of 2624 2744 Iclcnnji.exe 33 PID 2744 wrote to memory of 2624 2744 Iclcnnji.exe 33 PID 2624 wrote to memory of 1596 2624 Iiikfehq.exe 34 PID 2624 wrote to memory of 1596 2624 Iiikfehq.exe 34 PID 2624 wrote to memory of 1596 2624 Iiikfehq.exe 34 PID 2624 wrote to memory of 1596 2624 Iiikfehq.exe 34 PID 1596 wrote to memory of 2640 1596 Ibapoj32.exe 35 PID 1596 wrote to memory of 2640 1596 Ibapoj32.exe 35 PID 1596 wrote to memory of 2640 1596 Ibapoj32.exe 35 PID 1596 wrote to memory of 2640 1596 Ibapoj32.exe 35 PID 2640 wrote to memory of 852 2640 Jgnhga32.exe 36 PID 2640 wrote to memory of 852 2640 Jgnhga32.exe 36 PID 2640 wrote to memory of 852 2640 Jgnhga32.exe 36 PID 2640 wrote to memory of 852 2640 Jgnhga32.exe 36 PID 852 wrote to memory of 1764 852 Jagmpg32.exe 37 PID 852 wrote to memory of 1764 852 Jagmpg32.exe 37 PID 852 wrote to memory of 1764 852 Jagmpg32.exe 37 PID 852 wrote to memory of 1764 852 Jagmpg32.exe 37 PID 1764 wrote to memory of 2416 1764 Jklanp32.exe 38 PID 1764 wrote to memory of 2416 1764 Jklanp32.exe 38 PID 1764 wrote to memory of 2416 1764 Jklanp32.exe 38 PID 1764 wrote to memory of 2416 1764 Jklanp32.exe 38 PID 2416 wrote to memory of 2384 2416 Jaiiff32.exe 39 PID 2416 wrote to memory of 2384 2416 Jaiiff32.exe 39 PID 2416 wrote to memory of 2384 2416 Jaiiff32.exe 39 PID 2416 wrote to memory of 2384 2416 Jaiiff32.exe 39 PID 2384 wrote to memory of 2028 2384 Jjanolhg.exe 40 PID 2384 wrote to memory of 2028 2384 Jjanolhg.exe 40 PID 2384 wrote to memory of 2028 2384 Jjanolhg.exe 40 PID 2384 wrote to memory of 2028 2384 Jjanolhg.exe 40 PID 2028 wrote to memory of 2644 2028 Jegble32.exe 41 PID 2028 wrote to memory of 2644 2028 Jegble32.exe 41 PID 2028 wrote to memory of 2644 2028 Jegble32.exe 41 PID 2028 wrote to memory of 2644 2028 Jegble32.exe 41 PID 2644 wrote to memory of 1728 2644 Jjdkdl32.exe 42 PID 2644 wrote to memory of 1728 2644 Jjdkdl32.exe 42 PID 2644 wrote to memory of 1728 2644 Jjdkdl32.exe 42 PID 2644 wrote to memory of 1728 2644 Jjdkdl32.exe 42 PID 1728 wrote to memory of 2892 1728 Jfkkimlh.exe 43 PID 1728 wrote to memory of 2892 1728 Jfkkimlh.exe 43 PID 1728 wrote to memory of 2892 1728 Jfkkimlh.exe 43 PID 1728 wrote to memory of 2892 1728 Jfkkimlh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\48546110108378d83dfa4783af56ca7bc8b082eafecfcf7e02f803793099b670_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe33⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe34⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe37⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe38⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe44⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe45⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe46⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe48⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe49⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe50⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe51⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe52⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe56⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe57⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe58⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe59⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe60⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe61⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe64⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe66⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1240 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe68⤵PID:920
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe69⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe70⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe74⤵PID:1008
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe75⤵PID:2244
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe76⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe77⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe78⤵PID:1624
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe79⤵PID:1056
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe80⤵PID:396
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe81⤵PID:1016
-
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe83⤵PID:1712
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe84⤵PID:1520
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe86⤵PID:2740
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe88⤵PID:884
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe89⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe90⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe91⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe92⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe94⤵
- Drops file in System32 directory
PID:492 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:444 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe98⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe99⤵PID:1984
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe100⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe101⤵PID:2488
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe103⤵PID:2464
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe105⤵PID:1452
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe107⤵PID:1668
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe108⤵PID:580
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe109⤵PID:1096
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe110⤵PID:1548
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe111⤵PID:2216
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe112⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe113⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe114⤵PID:2972
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe116⤵PID:1416
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe117⤵PID:1612
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe118⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe119⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe121⤵
- Modifies registry class
PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-