Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 01:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe
-
Size
430KB
-
MD5
4e6043c4f03cb07feb05a0adfb1aa8f0
-
SHA1
83ab143b763e53f135928c326627c17e38ad8beb
-
SHA256
54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a
-
SHA512
365f7190018b0a1116bb98af665bb767420cd9a51d82b2fb3f9a72bb55af7dbeb1ac49cf79ef691eded55668e515368325d74bc4ff70cd912430ca6772e06c9d
-
SSDEEP
6144:HCRbE6hO5LNRs+HLlD0rN2ZwVht740Psz:HCRbEaOHpoxso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchmfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgddam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlldmimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijbco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmfjmake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdhck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdcbjal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepjoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejkhlip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibadnhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkfmmqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklnggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alofnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcdkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcbmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjolpkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbgageq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieligmho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmhhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngdjaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfgiabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbke32.exe -
Executes dropped EXE 64 IoCs
pid Process 2160 Dakmfh32.exe 3020 Eapfagno.exe 2760 Enkpahon.exe 2972 Foafdoag.exe 2732 Ffmkfifa.exe 2468 Gqlebf32.exe 2892 Gqnbhf32.exe 2456 Hnmeen32.exe 1532 Hnpbjnpo.exe 2868 Iegjqk32.exe 1952 Iiecgjba.exe 2200 Jhlmmfef.exe 1728 Jdhgnf32.exe 1468 Kjihalag.exe 1624 Knnkpobc.exe 1492 Mejlalji.exe 1324 Mihdgkpp.exe 1300 Necogkbo.exe 868 Nfdkoc32.exe 1392 Nmqpam32.exe 2140 Nfidjbdg.exe 892 Nbpeoc32.exe 1524 Oiljam32.exe 2944 Obgkpb32.exe 1764 Ohcdhi32.exe 2996 Ohfqmi32.exe 2236 Odmabj32.exe 2400 Ppcbgkka.exe 2928 Pgpgjepk.exe 2816 Palepb32.exe 2684 Plaimk32.exe 2920 Qgmfchei.exe 2612 Qhmcmk32.exe 2900 Adfqgl32.exe 1288 Ajeeeblb.exe 1308 Acnjnh32.exe 2536 Bfncpcoc.exe 1820 Biaign32.exe 1936 Bammlq32.exe 2572 Bnqned32.exe 836 Bflbigdb.exe 1292 Cjjkpe32.exe 2220 Cfpldf32.exe 2376 Cpiqmlfm.exe 2840 Ciaefa32.exe 3008 Cbiiog32.exe 1004 Cpmjhk32.exe 1528 Difnaqih.exe 304 Ddpobo32.exe 3068 Doecog32.exe 2040 Dogpdg32.exe 872 Dddimn32.exe 1556 Dpkibo32.exe 1588 Dmojkc32.exe 2620 Eknmhk32.exe 2676 Fajbke32.exe 2776 Fcphnm32.exe 2636 Fnflke32.exe 2596 Fjlmpfhg.exe 920 Gfcnegnk.exe 888 Golbnm32.exe 2784 Gkbcbn32.exe 1252 Gfhgpg32.exe 2180 Gncldi32.exe -
Loads dropped DLL 64 IoCs
pid Process 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 2160 Dakmfh32.exe 2160 Dakmfh32.exe 3020 Eapfagno.exe 3020 Eapfagno.exe 2760 Enkpahon.exe 2760 Enkpahon.exe 2972 Foafdoag.exe 2972 Foafdoag.exe 2732 Ffmkfifa.exe 2732 Ffmkfifa.exe 2468 Gqlebf32.exe 2468 Gqlebf32.exe 2892 Gqnbhf32.exe 2892 Gqnbhf32.exe 2456 Hnmeen32.exe 2456 Hnmeen32.exe 1532 Hnpbjnpo.exe 1532 Hnpbjnpo.exe 2868 Iegjqk32.exe 2868 Iegjqk32.exe 1952 Iiecgjba.exe 1952 Iiecgjba.exe 2200 Jhlmmfef.exe 2200 Jhlmmfef.exe 1728 Jdhgnf32.exe 1728 Jdhgnf32.exe 1468 Kjihalag.exe 1468 Kjihalag.exe 1624 Knnkpobc.exe 1624 Knnkpobc.exe 1492 Mejlalji.exe 1492 Mejlalji.exe 1324 Mihdgkpp.exe 1324 Mihdgkpp.exe 1300 Necogkbo.exe 1300 Necogkbo.exe 868 Nfdkoc32.exe 868 Nfdkoc32.exe 1392 Nmqpam32.exe 1392 Nmqpam32.exe 2140 Nfidjbdg.exe 2140 Nfidjbdg.exe 892 Nbpeoc32.exe 892 Nbpeoc32.exe 1524 Oiljam32.exe 1524 Oiljam32.exe 2944 Obgkpb32.exe 2944 Obgkpb32.exe 1764 Ohcdhi32.exe 1764 Ohcdhi32.exe 2996 Ohfqmi32.exe 2996 Ohfqmi32.exe 2236 Odmabj32.exe 2236 Odmabj32.exe 2400 Ppcbgkka.exe 2400 Ppcbgkka.exe 2928 Pgpgjepk.exe 2928 Pgpgjepk.exe 2816 Palepb32.exe 2816 Palepb32.exe 2684 Plaimk32.exe 2684 Plaimk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfdmbl32.dll Ieligmho.exe File opened for modification C:\Windows\SysWOW64\Ifoljn32.exe Iabcbg32.exe File created C:\Windows\SysWOW64\Klbfbg32.exe Kbjbibli.exe File created C:\Windows\SysWOW64\Fcqmpn32.dll Process not Found File created C:\Windows\SysWOW64\Djiqdb32.exe Dpcmgi32.exe File opened for modification C:\Windows\SysWOW64\Limhpihl.exe Lcppgbjd.exe File created C:\Windows\SysWOW64\Glneao32.dll Ldkeoo32.exe File created C:\Windows\SysWOW64\Ckilmfke.exe Process not Found File created C:\Windows\SysWOW64\Idgcbbda.dll Bammlq32.exe File opened for modification C:\Windows\SysWOW64\Fmaqgaae.exe Fladmn32.exe File opened for modification C:\Windows\SysWOW64\Emkfmioh.exe Dpgedepn.exe File created C:\Windows\SysWOW64\Ladpkl32.dll Mmgfqh32.exe File created C:\Windows\SysWOW64\Gqlhkofn.exe Gnkoid32.exe File created C:\Windows\SysWOW64\Fbaghgop.dll Agkako32.exe File created C:\Windows\SysWOW64\Bnlphh32.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Gapoob32.exe Glcfgk32.exe File created C:\Windows\SysWOW64\Oelnfp32.dll Fdlqjf32.exe File opened for modification C:\Windows\SysWOW64\Aniffaim.exe Apeflmjc.exe File created C:\Windows\SysWOW64\Hbidne32.exe Hbggif32.exe File created C:\Windows\SysWOW64\Lqcmmc32.dll Anhpkg32.exe File created C:\Windows\SysWOW64\Oidqcdjh.dll Kaliaphd.exe File created C:\Windows\SysWOW64\Hmbehilp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjcljlea.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pifbjn32.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Jalolq32.dll Jjijkmbi.exe File opened for modification C:\Windows\SysWOW64\Fljfdd32.exe Fadagl32.exe File created C:\Windows\SysWOW64\Jenbjc32.exe Inbnhihl.exe File opened for modification C:\Windows\SysWOW64\Hcfenn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mndhnd32.exe Mlelda32.exe File opened for modification C:\Windows\SysWOW64\Lbagpp32.exe Lfkfkopk.exe File created C:\Windows\SysWOW64\Bfbjdf32.exe Binikb32.exe File created C:\Windows\SysWOW64\Joicje32.exe Jepoao32.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jhdlad32.exe File created C:\Windows\SysWOW64\Dakfkb32.dll Oplgeoea.exe File opened for modification C:\Windows\SysWOW64\Flabdecn.exe Fmlecinf.exe File created C:\Windows\SysWOW64\Gchhdfem.dll Qjgjpi32.exe File created C:\Windows\SysWOW64\Jcdfbkkf.dll Ophanl32.exe File created C:\Windows\SysWOW64\Nhmcad32.dll Lilfgq32.exe File opened for modification C:\Windows\SysWOW64\Hganjo32.exe Hgoadp32.exe File created C:\Windows\SysWOW64\Clkfjman.exe Ciknhb32.exe File opened for modification C:\Windows\SysWOW64\Cmdcngbd.exe Cnogmk32.exe File created C:\Windows\SysWOW64\Pafpjljk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Nknnnoph.exe Nddeae32.exe File opened for modification C:\Windows\SysWOW64\Dcepgh32.exe Doamhe32.exe File created C:\Windows\SysWOW64\Gpccle32.dll Aebobgmi.exe File created C:\Windows\SysWOW64\Ogomoj32.dll Bgddam32.exe File created C:\Windows\SysWOW64\Ihdhmkjd.dll Pqjhjf32.exe File created C:\Windows\SysWOW64\Kennjb32.dll Bnqcaffa.exe File created C:\Windows\SysWOW64\Igogan32.dll Nfidjbdg.exe File created C:\Windows\SysWOW64\Dgiaefgg.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Jajdfk32.dll Cjbmll32.exe File created C:\Windows\SysWOW64\Hnkbglmp.dll Kbjbibli.exe File created C:\Windows\SysWOW64\Bholhi32.dll Ncggifep.exe File created C:\Windows\SysWOW64\Gmmgobfd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hmmbqegc.exe Hcdnhoac.exe File opened for modification C:\Windows\SysWOW64\Ojeobm32.exe Olpbaa32.exe File created C:\Windows\SysWOW64\Embkbdce.exe Epnkip32.exe File opened for modification C:\Windows\SysWOW64\Bnkmakbb.exe Bfphmi32.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Knnkpobc.exe File created C:\Windows\SysWOW64\Lcofio32.exe Lboiol32.exe File created C:\Windows\SysWOW64\Klaggn32.dll Godhgedg.exe File created C:\Windows\SysWOW64\Mfokoe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eapfagno.exe Dakmfh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3044 4112 Process not Found 1195 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajdfk32.dll" Cjbmll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbookpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godhgedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppqqbjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapejnp.dll" Pgpgjepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaebfdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idemkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olobcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmbgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqddcdbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdqaf32.dll" Hajdniep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjdnlob.dll" Iamdkfnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejfffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihieg32.dll" Knmghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idokma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhkhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadmjo32.dll" Pncljmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacjlp32.dll" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfhhme.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfonlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjgnb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liaeleak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelnniga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqddcdbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmijgfa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blaobmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfocnoae.dll" Njopgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aakhkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpkfa32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgiha32.dll" Golbnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaehnfoi.dll" Mlejkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Immkiodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgdkphm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhapjlg.dll" Dakmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpemhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpgglifo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjnhnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphfbiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogliemkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhhominh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1916 wrote to memory of 2160 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 28 PID 1916 wrote to memory of 2160 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 28 PID 1916 wrote to memory of 2160 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 28 PID 1916 wrote to memory of 2160 1916 54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe 28 PID 2160 wrote to memory of 3020 2160 Dakmfh32.exe 29 PID 2160 wrote to memory of 3020 2160 Dakmfh32.exe 29 PID 2160 wrote to memory of 3020 2160 Dakmfh32.exe 29 PID 2160 wrote to memory of 3020 2160 Dakmfh32.exe 29 PID 3020 wrote to memory of 2760 3020 Eapfagno.exe 30 PID 3020 wrote to memory of 2760 3020 Eapfagno.exe 30 PID 3020 wrote to memory of 2760 3020 Eapfagno.exe 30 PID 3020 wrote to memory of 2760 3020 Eapfagno.exe 30 PID 2760 wrote to memory of 2972 2760 Enkpahon.exe 31 PID 2760 wrote to memory of 2972 2760 Enkpahon.exe 31 PID 2760 wrote to memory of 2972 2760 Enkpahon.exe 31 PID 2760 wrote to memory of 2972 2760 Enkpahon.exe 31 PID 2972 wrote to memory of 2732 2972 Foafdoag.exe 32 PID 2972 wrote to memory of 2732 2972 Foafdoag.exe 32 PID 2972 wrote to memory of 2732 2972 Foafdoag.exe 32 PID 2972 wrote to memory of 2732 2972 Foafdoag.exe 32 PID 2732 wrote to memory of 2468 2732 Ffmkfifa.exe 33 PID 2732 wrote to memory of 2468 2732 Ffmkfifa.exe 33 PID 2732 wrote to memory of 2468 2732 Ffmkfifa.exe 33 PID 2732 wrote to memory of 2468 2732 Ffmkfifa.exe 33 PID 2468 wrote to memory of 2892 2468 Gqlebf32.exe 34 PID 2468 wrote to memory of 2892 2468 Gqlebf32.exe 34 PID 2468 wrote to memory of 2892 2468 Gqlebf32.exe 34 PID 2468 wrote to memory of 2892 2468 Gqlebf32.exe 34 PID 2892 wrote to memory of 2456 2892 Gqnbhf32.exe 35 PID 2892 wrote to memory of 2456 2892 Gqnbhf32.exe 35 PID 2892 wrote to memory of 2456 2892 Gqnbhf32.exe 35 PID 2892 wrote to memory of 2456 2892 Gqnbhf32.exe 35 PID 2456 wrote to memory of 1532 2456 Hnmeen32.exe 36 PID 2456 wrote to memory of 1532 2456 Hnmeen32.exe 36 PID 2456 wrote to memory of 1532 2456 Hnmeen32.exe 36 PID 2456 wrote to memory of 1532 2456 Hnmeen32.exe 36 PID 1532 wrote to memory of 2868 1532 Hnpbjnpo.exe 37 PID 1532 wrote to memory of 2868 1532 Hnpbjnpo.exe 37 PID 1532 wrote to memory of 2868 1532 Hnpbjnpo.exe 37 PID 1532 wrote to memory of 2868 1532 Hnpbjnpo.exe 37 PID 2868 wrote to memory of 1952 2868 Iegjqk32.exe 38 PID 2868 wrote to memory of 1952 2868 Iegjqk32.exe 38 PID 2868 wrote to memory of 1952 2868 Iegjqk32.exe 38 PID 2868 wrote to memory of 1952 2868 Iegjqk32.exe 38 PID 1952 wrote to memory of 2200 1952 Iiecgjba.exe 39 PID 1952 wrote to memory of 2200 1952 Iiecgjba.exe 39 PID 1952 wrote to memory of 2200 1952 Iiecgjba.exe 39 PID 1952 wrote to memory of 2200 1952 Iiecgjba.exe 39 PID 2200 wrote to memory of 1728 2200 Jhlmmfef.exe 40 PID 2200 wrote to memory of 1728 2200 Jhlmmfef.exe 40 PID 2200 wrote to memory of 1728 2200 Jhlmmfef.exe 40 PID 2200 wrote to memory of 1728 2200 Jhlmmfef.exe 40 PID 1728 wrote to memory of 1468 1728 Jdhgnf32.exe 41 PID 1728 wrote to memory of 1468 1728 Jdhgnf32.exe 41 PID 1728 wrote to memory of 1468 1728 Jdhgnf32.exe 41 PID 1728 wrote to memory of 1468 1728 Jdhgnf32.exe 41 PID 1468 wrote to memory of 1624 1468 Kjihalag.exe 42 PID 1468 wrote to memory of 1624 1468 Kjihalag.exe 42 PID 1468 wrote to memory of 1624 1468 Kjihalag.exe 42 PID 1468 wrote to memory of 1624 1468 Kjihalag.exe 42 PID 1624 wrote to memory of 1492 1624 Knnkpobc.exe 43 PID 1624 wrote to memory of 1492 1624 Knnkpobc.exe 43 PID 1624 wrote to memory of 1492 1624 Knnkpobc.exe 43 PID 1624 wrote to memory of 1492 1624 Knnkpobc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54720b572db1a75ea6bfed6557276254f12a8ab51fa2fe4455194715c34e8c6a_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe33⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe35⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe36⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe37⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe38⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe39⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe41⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe42⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe43⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe44⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe45⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe46⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe47⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe48⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe50⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe51⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe52⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe53⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe54⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe58⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe59⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe60⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe61⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe63⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe64⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe65⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe66⤵PID:616
-
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe67⤵PID:2032
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe68⤵PID:432
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe69⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe70⤵PID:1092
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe72⤵PID:752
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe73⤵PID:2352
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe74⤵PID:1744
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe75⤵PID:1920
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe78⤵PID:1152
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe79⤵PID:2332
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe80⤵PID:2904
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe81⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe82⤵PID:2740
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe83⤵PID:1660
-
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe84⤵PID:2184
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe85⤵PID:1760
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe88⤵PID:2172
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe89⤵PID:968
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe90⤵PID:2124
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe91⤵PID:1932
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe92⤵PID:2052
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe93⤵PID:2100
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe94⤵PID:1748
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe95⤵PID:2700
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe96⤵PID:2508
-
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe97⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe98⤵PID:2496
-
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe99⤵PID:2548
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe100⤵PID:1732
-
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe101⤵PID:784
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe102⤵PID:2424
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe103⤵PID:2084
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe106⤵PID:1648
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe107⤵PID:1244
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe108⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe109⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe110⤵PID:2704
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe111⤵PID:2528
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe112⤵PID:748
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe113⤵PID:2796
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe114⤵PID:2772
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe115⤵PID:1424
-
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe116⤵PID:384
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe117⤵PID:1752
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe118⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe119⤵PID:2392
-
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe120⤵PID:1212
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe121⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-