Analysis
-
max time kernel
139s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 05:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe
-
Size
55KB
-
MD5
124abed356789a71e5d434456e003300
-
SHA1
ba23dd687b5f66fec7ad28269c328f4aa64d742e
-
SHA256
45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94
-
SHA512
fe94392b1e0c601fafa1da3a618f061795e660074646d99683f1553b3c98ad7b371a0bcc0e712c1fbb73b2d30ac6d05139d606ae7dd2cf2636fb48bbd1f9d6d9
-
SSDEEP
1536:w0lERZPqwMebf33UWZ25TcN92icNSoNSd0A3shxD6:TlEL9PPORC2icNXNW0A8hh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfoocjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igainn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkjkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joepio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjiajeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcolba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lganiohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgcgmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldqegd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjpaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjgkjq.exe -
Executes dropped EXE 64 IoCs
pid Process 108 Hnfgphdl.exe 2156 Hccphobd.exe 2820 Inhdehbj.exe 2664 Iqgqacam.exe 2676 Igainn32.exe 2548 Ijoeji32.exe 3052 Iqimgc32.exe 2900 Ichico32.exe 2468 Ijaapifk.exe 1660 Iidbke32.exe 2856 Icjfhn32.exe 2732 Ifhbdj32.exe 316 Imbkadcl.exe 1436 Ioagno32.exe 2092 Ifkojiim.exe 2456 Imeggc32.exe 332 Ioccco32.exe 1488 Ibapoj32.exe 1904 Jeplkf32.exe 2044 Jgnhga32.exe 2328 Joepio32.exe 2292 Jnhqdkde.exe 1860 Jagmpg32.exe 1852 Jgqemakf.exe 912 Jnkmjk32.exe 2248 Jaiiff32.exe 2280 Jnmjok32.exe 2252 Jakfkfpc.exe 2780 Jcjbgaog.exe 2852 Jfhocmnk.exe 2556 Jmbgpg32.exe 2580 Jpqclb32.exe 1732 Jiigehkl.exe 2924 Jmdcfg32.exe 2288 Kcolba32.exe 1876 Kfmhol32.exe 2592 Kmgpkfab.exe 1688 Kpemgbqf.exe 2864 Kfoedl32.exe 2336 Kinaqg32.exe 2020 Knjiin32.exe 756 Kfaajlfp.exe 532 Khcnad32.exe 580 Kbhbom32.exe 812 Kakbjibo.exe 2164 Khekgc32.exe 2284 Kjcgco32.exe 1776 Kbkodl32.exe 1376 Keikqhhe.exe 1044 Lhggmchi.exe 2208 Llccmb32.exe 2404 Loapim32.exe 2796 Laplei32.exe 2968 Ldnhad32.exe 2544 Lhjdbcef.exe 2528 Lfmdnp32.exe 2936 Lkhpnnej.exe 2868 Lodlom32.exe 1580 Labhkh32.exe 1908 Ldqegd32.exe 2896 Lhlqhb32.exe 2748 Lmiipi32.exe 2068 Ladeqhjd.exe 2508 Ldcamcih.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 108 Hnfgphdl.exe 108 Hnfgphdl.exe 2156 Hccphobd.exe 2156 Hccphobd.exe 2820 Inhdehbj.exe 2820 Inhdehbj.exe 2664 Iqgqacam.exe 2664 Iqgqacam.exe 2676 Igainn32.exe 2676 Igainn32.exe 2548 Ijoeji32.exe 2548 Ijoeji32.exe 3052 Iqimgc32.exe 3052 Iqimgc32.exe 2900 Ichico32.exe 2900 Ichico32.exe 2468 Ijaapifk.exe 2468 Ijaapifk.exe 1660 Iidbke32.exe 1660 Iidbke32.exe 2856 Icjfhn32.exe 2856 Icjfhn32.exe 2732 Ifhbdj32.exe 2732 Ifhbdj32.exe 316 Imbkadcl.exe 316 Imbkadcl.exe 1436 Ioagno32.exe 1436 Ioagno32.exe 2092 Ifkojiim.exe 2092 Ifkojiim.exe 2456 Imeggc32.exe 2456 Imeggc32.exe 332 Ioccco32.exe 332 Ioccco32.exe 1488 Ibapoj32.exe 1488 Ibapoj32.exe 1904 Jeplkf32.exe 1904 Jeplkf32.exe 2044 Jgnhga32.exe 2044 Jgnhga32.exe 2328 Joepio32.exe 2328 Joepio32.exe 2292 Jnhqdkde.exe 2292 Jnhqdkde.exe 1860 Jagmpg32.exe 1860 Jagmpg32.exe 1852 Jgqemakf.exe 1852 Jgqemakf.exe 912 Jnkmjk32.exe 912 Jnkmjk32.exe 1720 Jedefejo.exe 1720 Jedefejo.exe 2280 Jnmjok32.exe 2280 Jnmjok32.exe 2252 Jakfkfpc.exe 2252 Jakfkfpc.exe 2780 Jcjbgaog.exe 2780 Jcjbgaog.exe 2852 Jfhocmnk.exe 2852 Jfhocmnk.exe 2556 Jmbgpg32.exe 2556 Jmbgpg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ldnhad32.exe Laplei32.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File opened for modification C:\Windows\SysWOW64\Igihbknb.exe Idklfpon.exe File created C:\Windows\SysWOW64\Cfahajeg.dll Ijgdngmf.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File created C:\Windows\SysWOW64\Lkmkpl32.dll Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Fkckeh32.exe Fidoim32.exe File created C:\Windows\SysWOW64\Ciiqqh32.dll Jgqemakf.exe File created C:\Windows\SysWOW64\Machcjcf.dll Jfhocmnk.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Hccphobd.exe Hnfgphdl.exe File created C:\Windows\SysWOW64\Kpemgbqf.exe Kmgpkfab.exe File opened for modification C:\Windows\SysWOW64\Kbhbom32.exe Khcnad32.exe File created C:\Windows\SysWOW64\Llnfaffc.exe Lkmjin32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cjlgiqbk.exe File created C:\Windows\SysWOW64\Hecjkifm.dll Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hgbebiao.exe File opened for modification C:\Windows\SysWOW64\Jagmpg32.exe Jnhqdkde.exe File created C:\Windows\SysWOW64\Ebedndfa.exe Enihne32.exe File opened for modification C:\Windows\SysWOW64\Ghmiam32.exe Geolea32.exe File created C:\Windows\SysWOW64\Cjfccn32.exe Cghggc32.exe File created C:\Windows\SysWOW64\Llccmb32.exe Lhggmchi.exe File created C:\Windows\SysWOW64\Pnlilc32.dll Loeebl32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File created C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Eojnkg32.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Kmgpkfab.exe Kfmhol32.exe File created C:\Windows\SysWOW64\Njcbaa32.dll Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Kblhgk32.exe Kcihlong.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Oqndkj32.exe Onphoo32.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Anojbobe.exe Alpmfdcb.exe File created C:\Windows\SysWOW64\Biicik32.exe Bemgilhh.exe File created C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe File created C:\Windows\SysWOW64\Ppmdbe32.exe Plahag32.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Limilm32.dll Kcfkfo32.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Cdikkg32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Fogilika.dll Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Afmonbqk.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dmafennb.exe File created C:\Windows\SysWOW64\Ihankokm.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Igmdobgi.dll Bdeeqehb.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Eplkpgnh.exe File created C:\Windows\SysWOW64\Onphoo32.exe Okalbc32.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Phjelg32.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Cjndop32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Jdjfho32.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Coeidfmm.dll Labhkh32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Ailkjmpo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7484 7460 WerFault.exe 730 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpffnl32.dll" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Bemgilhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhbdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoffo32.dll" Jiigehkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjoqhah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olmhdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnfdcqd.dll" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjgjmd32.dll" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjale32.dll" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgecelp.dll" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlhkl32.dll" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkmnacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmlpbdc.dll" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpidpbna.dll" Lkhpnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdipg32.dll" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifjjk32.dll" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loapim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cppkph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qagcpljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palbmbbp.dll" Jeplkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmccegik.dll" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmjok32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 108 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 108 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 108 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 108 2220 45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2156 108 Hnfgphdl.exe 29 PID 108 wrote to memory of 2156 108 Hnfgphdl.exe 29 PID 108 wrote to memory of 2156 108 Hnfgphdl.exe 29 PID 108 wrote to memory of 2156 108 Hnfgphdl.exe 29 PID 2156 wrote to memory of 2820 2156 Hccphobd.exe 30 PID 2156 wrote to memory of 2820 2156 Hccphobd.exe 30 PID 2156 wrote to memory of 2820 2156 Hccphobd.exe 30 PID 2156 wrote to memory of 2820 2156 Hccphobd.exe 30 PID 2820 wrote to memory of 2664 2820 Inhdehbj.exe 31 PID 2820 wrote to memory of 2664 2820 Inhdehbj.exe 31 PID 2820 wrote to memory of 2664 2820 Inhdehbj.exe 31 PID 2820 wrote to memory of 2664 2820 Inhdehbj.exe 31 PID 2664 wrote to memory of 2676 2664 Iqgqacam.exe 32 PID 2664 wrote to memory of 2676 2664 Iqgqacam.exe 32 PID 2664 wrote to memory of 2676 2664 Iqgqacam.exe 32 PID 2664 wrote to memory of 2676 2664 Iqgqacam.exe 32 PID 2676 wrote to memory of 2548 2676 Igainn32.exe 33 PID 2676 wrote to memory of 2548 2676 Igainn32.exe 33 PID 2676 wrote to memory of 2548 2676 Igainn32.exe 33 PID 2676 wrote to memory of 2548 2676 Igainn32.exe 33 PID 2548 wrote to memory of 3052 2548 Ijoeji32.exe 34 PID 2548 wrote to memory of 3052 2548 Ijoeji32.exe 34 PID 2548 wrote to memory of 3052 2548 Ijoeji32.exe 34 PID 2548 wrote to memory of 3052 2548 Ijoeji32.exe 34 PID 3052 wrote to memory of 2900 3052 Iqimgc32.exe 35 PID 3052 wrote to memory of 2900 3052 Iqimgc32.exe 35 PID 3052 wrote to memory of 2900 3052 Iqimgc32.exe 35 PID 3052 wrote to memory of 2900 3052 Iqimgc32.exe 35 PID 2900 wrote to memory of 2468 2900 Ichico32.exe 36 PID 2900 wrote to memory of 2468 2900 Ichico32.exe 36 PID 2900 wrote to memory of 2468 2900 Ichico32.exe 36 PID 2900 wrote to memory of 2468 2900 Ichico32.exe 36 PID 2468 wrote to memory of 1660 2468 Ijaapifk.exe 37 PID 2468 wrote to memory of 1660 2468 Ijaapifk.exe 37 PID 2468 wrote to memory of 1660 2468 Ijaapifk.exe 37 PID 2468 wrote to memory of 1660 2468 Ijaapifk.exe 37 PID 1660 wrote to memory of 2856 1660 Iidbke32.exe 38 PID 1660 wrote to memory of 2856 1660 Iidbke32.exe 38 PID 1660 wrote to memory of 2856 1660 Iidbke32.exe 38 PID 1660 wrote to memory of 2856 1660 Iidbke32.exe 38 PID 2856 wrote to memory of 2732 2856 Icjfhn32.exe 39 PID 2856 wrote to memory of 2732 2856 Icjfhn32.exe 39 PID 2856 wrote to memory of 2732 2856 Icjfhn32.exe 39 PID 2856 wrote to memory of 2732 2856 Icjfhn32.exe 39 PID 2732 wrote to memory of 316 2732 Ifhbdj32.exe 40 PID 2732 wrote to memory of 316 2732 Ifhbdj32.exe 40 PID 2732 wrote to memory of 316 2732 Ifhbdj32.exe 40 PID 2732 wrote to memory of 316 2732 Ifhbdj32.exe 40 PID 316 wrote to memory of 1436 316 Imbkadcl.exe 41 PID 316 wrote to memory of 1436 316 Imbkadcl.exe 41 PID 316 wrote to memory of 1436 316 Imbkadcl.exe 41 PID 316 wrote to memory of 1436 316 Imbkadcl.exe 41 PID 1436 wrote to memory of 2092 1436 Ioagno32.exe 42 PID 1436 wrote to memory of 2092 1436 Ioagno32.exe 42 PID 1436 wrote to memory of 2092 1436 Ioagno32.exe 42 PID 1436 wrote to memory of 2092 1436 Ioagno32.exe 42 PID 2092 wrote to memory of 2456 2092 Ifkojiim.exe 43 PID 2092 wrote to memory of 2456 2092 Ifkojiim.exe 43 PID 2092 wrote to memory of 2456 2092 Ifkojiim.exe 43 PID 2092 wrote to memory of 2456 2092 Ifkojiim.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\45ff67186b7a6d4e174c8ef97042f89a25976a383162fda00b8586332e873c94_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Hccphobd.exeC:\Windows\system32\Hccphobd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Iqgqacam.exeC:\Windows\system32\Iqgqacam.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe28⤵
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe40⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe41⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe42⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe43⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe44⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe46⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe47⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe48⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe49⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe50⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe51⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe53⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe56⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe57⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe58⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe60⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe63⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe64⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe65⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe66⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe67⤵PID:1692
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe69⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe70⤵PID:1484
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe71⤵PID:1636
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe72⤵PID:868
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe73⤵PID:680
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe75⤵PID:1812
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe76⤵PID:1848
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe78⤵PID:2844
-
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe79⤵PID:2840
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe80⤵PID:1324
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe81⤵PID:2872
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe83⤵PID:1264
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe84⤵PID:536
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe86⤵PID:952
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe87⤵PID:2984
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe89⤵PID:2788
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe90⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe91⤵PID:2596
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe92⤵PID:1792
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe93⤵PID:3032
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe94⤵PID:2568
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe96⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe98⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe99⤵PID:1988
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe100⤵PID:1496
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe102⤵PID:2496
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe103⤵PID:2244
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe104⤵PID:2692
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe105⤵PID:1964
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe106⤵PID:2708
-
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe107⤵PID:3028
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe108⤵PID:2516
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1796 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe110⤵PID:2232
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe111⤵PID:1444
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe112⤵PID:632
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe113⤵PID:2004
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe114⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe115⤵PID:3060
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe116⤵PID:1676
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe117⤵PID:2812
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe118⤵PID:3012
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe119⤵PID:1528
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe121⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-