Analysis
-
max time kernel
52s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 12:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe
-
Size
165KB
-
MD5
35d0124c9daa3aa18f00a2ecca1526f0
-
SHA1
555b5d5e37e62262b4256e6d696e3b41019c6b88
-
SHA256
96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb
-
SHA512
a4050b09228e08b684af5fcacb32a24e7d18f4be3db9a9cabed1ba46db90a00f4670f3dae872da82f93a05d438b42354b227b61babdfbd4e3c79115fd78f8e5b
-
SSDEEP
3072:V7Djev30C6WPIx4dnSQT3vQfEdArGzHq+egM5bylnO/hZP:V73ev30gPW4dnSQbQMdArGzHregqgnO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibgmdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdckfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjifjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfibe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajiknpjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbkagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdilcla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgokmgjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkhapfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgbco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqncedbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqgkhnjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogiicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkedibe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qalnjkgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amgapeea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paegjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcgkldl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmabdibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlnbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfnphn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbnafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfembo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfjhkjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adapgfqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjoankoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjlpo32.exe -
Executes dropped EXE 64 IoCs
pid Process 4344 Kkkdan32.exe 640 Kphmie32.exe 4864 Kbfiep32.exe 1612 Kknafn32.exe 4784 Kcifkp32.exe 2112 Kkpnlm32.exe 4428 Kdhbec32.exe 4688 Liekmj32.exe 968 Ldkojb32.exe 1440 Liggbi32.exe 4380 Lpappc32.exe 2044 Lkgdml32.exe 768 Lpcmec32.exe 2512 Lkiqbl32.exe 784 Lpfijcfl.exe 4756 Lklnhlfb.exe 3652 Laefdf32.exe 2000 Mjqjih32.exe 4516 Mahbje32.exe 2692 Mkpgck32.exe 3196 Mnapdf32.exe 2732 Mdkhapfj.exe 456 Mjhqjg32.exe 4856 Mdmegp32.exe 1276 Mjjmog32.exe 2388 Mdpalp32.exe 4648 Nkjjij32.exe 2408 Nqfbaq32.exe 228 Nklfoi32.exe 1860 Nafokcol.exe 3612 Ngcgcjnc.exe 3008 Njacpf32.exe 3664 Ndghmo32.exe 748 Njcpee32.exe 4268 Nqmhbpba.exe 4512 Nggqoj32.exe 3860 Nnaikd32.exe 4928 Nqpego32.exe 4708 Okeieh32.exe 5092 Ondeac32.exe 4332 Ocqnij32.exe 4144 Okhfjh32.exe 1964 Ojjffddl.exe 2924 Occkojkm.exe 3232 Ojmcld32.exe 4220 Oqgkhnjf.exe 4032 Okloegjl.exe 1528 Onklabip.exe 4424 Ocgdji32.exe 2460 Okolkg32.exe 4880 Oqkdcn32.exe 2452 Pcjapi32.exe 4584 Pjdilcla.exe 3184 Peimil32.exe 3696 Pghieg32.exe 1508 Pnbbbabh.exe 4904 Peljol32.exe 3796 Pkfblfab.exe 1160 Pbpjhp32.exe 888 Pengdk32.exe 8 Pjkombfj.exe 4968 Paegjl32.exe 3788 Pgopffec.exe 4036 Pjmlbbdg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nnbnoffm.dll Jcioiood.exe File created C:\Windows\SysWOW64\Opdghh32.exe Ojjolnaq.exe File created C:\Windows\SysWOW64\Olihhh32.dll Pjdilcla.exe File created C:\Windows\SysWOW64\Kpihae32.dll Gicinj32.exe File created C:\Windows\SysWOW64\Klqcioba.exe Kibgmdcn.exe File opened for modification C:\Windows\SysWOW64\Nphhmj32.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dgbdlf32.exe File opened for modification C:\Windows\SysWOW64\Mdmegp32.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Okeieh32.exe Nqpego32.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pggbkagp.exe File created C:\Windows\SysWOW64\Pnfdcjkg.exe Pgllfp32.exe File created C:\Windows\SysWOW64\Akichh32.dll Beeoaapl.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Ddmaok32.exe File created C:\Windows\SysWOW64\Npfhbbpk.dll Ddmhja32.exe File created C:\Windows\SysWOW64\Bhaomhld.dll Kpbmco32.exe File opened for modification C:\Windows\SysWOW64\Pqmjog32.exe Pjcbbmif.exe File opened for modification C:\Windows\SysWOW64\Pnakhkol.exe Pfjcgn32.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Mjqjih32.exe File opened for modification C:\Windows\SysWOW64\Okhfjh32.exe Ocqnij32.exe File created C:\Windows\SysWOW64\Ecnpbjmi.dll Hcdmga32.exe File created C:\Windows\SysWOW64\Bhbopgfn.dll Nnlhfn32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Djdmffnn.exe File created C:\Windows\SysWOW64\Dodbbdbb.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Kbfiep32.exe Kphmie32.exe File created C:\Windows\SysWOW64\Mdpalp32.exe Mjjmog32.exe File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe Pcncpbmd.exe File opened for modification C:\Windows\SysWOW64\Agglboim.exe Aqncedbp.exe File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Afjlnk32.exe File created C:\Windows\SysWOW64\Jcioiood.exe Jlbgha32.exe File created C:\Windows\SysWOW64\Mlopkm32.exe Mipcob32.exe File created C:\Windows\SysWOW64\Ipbdmaah.exe Iihkpg32.exe File opened for modification C:\Windows\SysWOW64\Lpqiemge.exe Ligqhc32.exe File created C:\Windows\SysWOW64\Jilkmnni.dll Ojoign32.exe File created C:\Windows\SysWOW64\Ienanm32.dll Cbqlfkmi.exe File opened for modification C:\Windows\SysWOW64\Dkoggkjo.exe Dhpjkojk.exe File opened for modification C:\Windows\SysWOW64\Flqimk32.exe Ffgqqaip.exe File opened for modification C:\Windows\SysWOW64\Hmcojh32.exe Helfik32.exe File created C:\Windows\SysWOW64\Benlnbhb.dll Lekehdgp.exe File created C:\Windows\SysWOW64\Mdckfk32.exe Lphoelqn.exe File created C:\Windows\SysWOW64\Ijfjal32.dll Mipcob32.exe File created C:\Windows\SysWOW64\Mlefklpj.exe Migjoaaf.exe File created C:\Windows\SysWOW64\Odmkog32.dll Ekemhj32.exe File created C:\Windows\SysWOW64\Fohoigfh.exe Fljcmlfd.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File created C:\Windows\SysWOW64\Deokon32.exe Dodbbdbb.exe File created C:\Windows\SysWOW64\Kjpgii32.dll Ojaelm32.exe File created C:\Windows\SysWOW64\Chjaol32.exe Belebq32.exe File created C:\Windows\SysWOW64\Pghdbegp.dll Ajiknpjj.exe File opened for modification C:\Windows\SysWOW64\Kpbmco32.exe Kmdqgd32.exe File opened for modification C:\Windows\SysWOW64\Fcmnpe32.exe Fkffog32.exe File created C:\Windows\SysWOW64\Ejfenk32.dll Pdfjifjo.exe File created C:\Windows\SysWOW64\Gmdlbjng.dll Ajhddjfn.exe File opened for modification C:\Windows\SysWOW64\Lklnhlfb.exe Lpfijcfl.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Qecppkdm.exe File created C:\Windows\SysWOW64\Eadopc32.exe Ekjfcipa.exe File created C:\Windows\SysWOW64\Jgbcdnbb.dll Gfembo32.exe File created C:\Windows\SysWOW64\Iejcji32.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Bdjinlko.dll Pnlaml32.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Beihma32.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mdkhapfj.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Opdghh32.exe Ojjolnaq.exe File created C:\Windows\SysWOW64\Hlkolh32.dll Abemjmgg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9560 9404 WerFault.exe 485 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lepncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhcgeja.dll" Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll" Jehokgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll" Mlhbal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" Dodbbdbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfhbbpk.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhilj32.dll" Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lphoelqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfqbhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ondeac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmbjkdp.dll" Ojjffddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhjmiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpili32.dll" Ekjfcipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoiefmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jimekgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlefklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfjifjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegdfm32.dll" Aaqgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll" Lekehdgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcncpbmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angddopp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjjppmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll" Opakbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll" Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchddejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghjpm32.dll" Gododflk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkcpbam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aanjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll" Jbhfjljd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgokmgjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohbh32.dll" Ibjjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhfjljd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" Kcifkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahfmgoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjehk32.dll" Eabbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnoof32.dll" Gkaejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnnp32.dll" Jmbdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifebhe.dll" Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picpfp32.dll" Chdkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oekgfqeg.dll" Hodgkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipknlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqgkhnjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkajcp32.dll" Pkfblfab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3520 wrote to memory of 4344 3520 96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe 81 PID 3520 wrote to memory of 4344 3520 96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe 81 PID 3520 wrote to memory of 4344 3520 96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe 81 PID 4344 wrote to memory of 640 4344 Kkkdan32.exe 82 PID 4344 wrote to memory of 640 4344 Kkkdan32.exe 82 PID 4344 wrote to memory of 640 4344 Kkkdan32.exe 82 PID 640 wrote to memory of 4864 640 Kphmie32.exe 83 PID 640 wrote to memory of 4864 640 Kphmie32.exe 83 PID 640 wrote to memory of 4864 640 Kphmie32.exe 83 PID 4864 wrote to memory of 1612 4864 Kbfiep32.exe 84 PID 4864 wrote to memory of 1612 4864 Kbfiep32.exe 84 PID 4864 wrote to memory of 1612 4864 Kbfiep32.exe 84 PID 1612 wrote to memory of 4784 1612 Kknafn32.exe 85 PID 1612 wrote to memory of 4784 1612 Kknafn32.exe 85 PID 1612 wrote to memory of 4784 1612 Kknafn32.exe 85 PID 4784 wrote to memory of 2112 4784 Kcifkp32.exe 86 PID 4784 wrote to memory of 2112 4784 Kcifkp32.exe 86 PID 4784 wrote to memory of 2112 4784 Kcifkp32.exe 86 PID 2112 wrote to memory of 4428 2112 Kkpnlm32.exe 87 PID 2112 wrote to memory of 4428 2112 Kkpnlm32.exe 87 PID 2112 wrote to memory of 4428 2112 Kkpnlm32.exe 87 PID 4428 wrote to memory of 4688 4428 Kdhbec32.exe 88 PID 4428 wrote to memory of 4688 4428 Kdhbec32.exe 88 PID 4428 wrote to memory of 4688 4428 Kdhbec32.exe 88 PID 4688 wrote to memory of 968 4688 Liekmj32.exe 89 PID 4688 wrote to memory of 968 4688 Liekmj32.exe 89 PID 4688 wrote to memory of 968 4688 Liekmj32.exe 89 PID 968 wrote to memory of 1440 968 Ldkojb32.exe 90 PID 968 wrote to memory of 1440 968 Ldkojb32.exe 90 PID 968 wrote to memory of 1440 968 Ldkojb32.exe 90 PID 1440 wrote to memory of 4380 1440 Liggbi32.exe 91 PID 1440 wrote to memory of 4380 1440 Liggbi32.exe 91 PID 1440 wrote to memory of 4380 1440 Liggbi32.exe 91 PID 4380 wrote to memory of 2044 4380 Lpappc32.exe 92 PID 4380 wrote to memory of 2044 4380 Lpappc32.exe 92 PID 4380 wrote to memory of 2044 4380 Lpappc32.exe 92 PID 2044 wrote to memory of 768 2044 Lkgdml32.exe 93 PID 2044 wrote to memory of 768 2044 Lkgdml32.exe 93 PID 2044 wrote to memory of 768 2044 Lkgdml32.exe 93 PID 768 wrote to memory of 2512 768 Lpcmec32.exe 94 PID 768 wrote to memory of 2512 768 Lpcmec32.exe 94 PID 768 wrote to memory of 2512 768 Lpcmec32.exe 94 PID 2512 wrote to memory of 784 2512 Lkiqbl32.exe 95 PID 2512 wrote to memory of 784 2512 Lkiqbl32.exe 95 PID 2512 wrote to memory of 784 2512 Lkiqbl32.exe 95 PID 784 wrote to memory of 4756 784 Lpfijcfl.exe 96 PID 784 wrote to memory of 4756 784 Lpfijcfl.exe 96 PID 784 wrote to memory of 4756 784 Lpfijcfl.exe 96 PID 4756 wrote to memory of 3652 4756 Lklnhlfb.exe 97 PID 4756 wrote to memory of 3652 4756 Lklnhlfb.exe 97 PID 4756 wrote to memory of 3652 4756 Lklnhlfb.exe 97 PID 3652 wrote to memory of 2000 3652 Laefdf32.exe 98 PID 3652 wrote to memory of 2000 3652 Laefdf32.exe 98 PID 3652 wrote to memory of 2000 3652 Laefdf32.exe 98 PID 2000 wrote to memory of 4516 2000 Mjqjih32.exe 99 PID 2000 wrote to memory of 4516 2000 Mjqjih32.exe 99 PID 2000 wrote to memory of 4516 2000 Mjqjih32.exe 99 PID 4516 wrote to memory of 2692 4516 Mahbje32.exe 100 PID 4516 wrote to memory of 2692 4516 Mahbje32.exe 100 PID 4516 wrote to memory of 2692 4516 Mahbje32.exe 100 PID 2692 wrote to memory of 3196 2692 Mkpgck32.exe 101 PID 2692 wrote to memory of 3196 2692 Mkpgck32.exe 101 PID 2692 wrote to memory of 3196 2692 Mkpgck32.exe 101 PID 3196 wrote to memory of 2732 3196 Mnapdf32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\96eb8ac40c5d743f0256e99af7d6c89e815c07e20705b2f1fbb1a14ea45d04fb_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe25⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe28⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe29⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe30⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe31⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe32⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe35⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe36⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe37⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe38⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe40⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:5092 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe43⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe45⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe48⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe50⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe51⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe52⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe53⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe55⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe56⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe57⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4904 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe60⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe61⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe62⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe64⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe65⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe66⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe67⤵PID:220
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe69⤵PID:3128
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe70⤵PID:1152
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe71⤵PID:4452
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe74⤵
- Modifies registry class
PID:4800 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe75⤵PID:1280
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe76⤵PID:2560
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe77⤵PID:3456
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe78⤵
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5040 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4176 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe82⤵PID:2368
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe83⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe84⤵PID:2528
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe85⤵PID:3336
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe86⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe88⤵PID:1524
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3256 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe90⤵PID:3688
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe91⤵PID:4536
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe92⤵PID:3952
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe93⤵PID:2652
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe94⤵PID:4120
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe95⤵PID:4684
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe96⤵PID:1188
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe97⤵PID:3040
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe98⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe99⤵PID:3748
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe100⤵PID:2128
-
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe101⤵PID:724
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe102⤵PID:3736
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe103⤵PID:3124
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe104⤵PID:4932
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe105⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe106⤵PID:4244
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe107⤵PID:1728
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe108⤵PID:2992
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe109⤵PID:4860
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe110⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe112⤵PID:4616
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe113⤵PID:1512
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe114⤵PID:4828
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe115⤵PID:4260
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe116⤵PID:1620
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe118⤵PID:2304
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe119⤵PID:2756
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe120⤵PID:1392
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-