Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 05:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe
-
Size
344KB
-
MD5
2990687d33c0d00b9d90c2b676de0040
-
SHA1
900269ba1b8143a9427f537e00305e13251d9d18
-
SHA256
69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48
-
SHA512
0dbcddc45f3b667984a3f2a174a9525fc994733730df53584cfc933a5ad62fc1a7fbde89db9b1533e487d4093136548d4fe5fe241d0365c2de67d1360e0e37a0
-
SSDEEP
6144:cH87xmzZbrCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:cH823CpXImbzQD6OkPgl6bmIjKn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mofglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdklf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccdel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhofjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe -
Executes dropped EXE 64 IoCs
pid Process 2184 Hpkjko32.exe 2640 Hicodd32.exe 2608 Hlcgeo32.exe 2616 Hgilchkf.exe 2468 Hjjddchg.exe 2512 Iaeiieeb.exe 2344 Iknnbklc.exe 1200 Igdogl32.exe 2788 Iqmcpahh.exe 1564 Ijeghgoh.exe 1036 Ijgdngmf.exe 1920 Icpigm32.exe 1616 Jofiln32.exe 304 Jiondcpk.exe 2384 Jfcnngnd.exe 2880 Jokcgmee.exe 3048 Jnqphi32.exe 408 Jejhecaj.exe 1288 Joplbl32.exe 1960 Jnclnihj.exe 788 Kgkafo32.exe 1064 Kjjmbj32.exe 616 Kcbakpdo.exe 2852 Kkijmm32.exe 2892 Kafbec32.exe 1984 Keanebkb.exe 1308 Kjnfniii.exe 1704 Kmmcjehm.exe 2728 Kjqccigf.exe 1268 Kpmlkp32.exe 2860 Kjcpii32.exe 2528 Kmaled32.exe 2720 Lpphap32.exe 2192 Lihmjejl.exe 1508 Loeebl32.exe 2676 Leonofpp.exe 1000 Lliflp32.exe 1032 Lbcnhjnj.exe 1860 Llkbap32.exe 680 Lkncmmle.exe 588 Ldfgebbe.exe 1324 Llnofpcg.exe 2056 Lefdpe32.exe 2268 Ldidkbpb.exe 2916 Mggpgmof.exe 2360 Monhhk32.exe 1536 Mppepcfg.exe 1596 Mhgmapfi.exe 2336 Mihiih32.exe 792 Maoajf32.exe 2324 Mdmmfa32.exe 1504 Mgljbm32.exe 1588 Mmfbogcn.exe 2332 Mpdnkb32.exe 2700 Mgnfhlin.exe 2536 Mimbdhhb.exe 2500 Mlkopcge.exe 2732 Mcegmm32.exe 2488 Miooigfo.exe 1952 Mhbped32.exe 2404 Nolhan32.exe 1600 Najdnj32.exe 1812 Nhdlkdkg.exe 1528 Nkbhgojk.exe -
Loads dropped DLL 64 IoCs
pid Process 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 2184 Hpkjko32.exe 2184 Hpkjko32.exe 2640 Hicodd32.exe 2640 Hicodd32.exe 2608 Hlcgeo32.exe 2608 Hlcgeo32.exe 2616 Hgilchkf.exe 2616 Hgilchkf.exe 2468 Hjjddchg.exe 2468 Hjjddchg.exe 2512 Iaeiieeb.exe 2512 Iaeiieeb.exe 2344 Iknnbklc.exe 2344 Iknnbklc.exe 1200 Igdogl32.exe 1200 Igdogl32.exe 2788 Iqmcpahh.exe 2788 Iqmcpahh.exe 1564 Ijeghgoh.exe 1564 Ijeghgoh.exe 1036 Ijgdngmf.exe 1036 Ijgdngmf.exe 1920 Icpigm32.exe 1920 Icpigm32.exe 1616 Jofiln32.exe 1616 Jofiln32.exe 304 Jiondcpk.exe 304 Jiondcpk.exe 2384 Jfcnngnd.exe 2384 Jfcnngnd.exe 2880 Jokcgmee.exe 2880 Jokcgmee.exe 3048 Jnqphi32.exe 3048 Jnqphi32.exe 408 Jejhecaj.exe 408 Jejhecaj.exe 1288 Joplbl32.exe 1288 Joplbl32.exe 1960 Jnclnihj.exe 1960 Jnclnihj.exe 788 Kgkafo32.exe 788 Kgkafo32.exe 1064 Kjjmbj32.exe 1064 Kjjmbj32.exe 616 Kcbakpdo.exe 616 Kcbakpdo.exe 2852 Kkijmm32.exe 2852 Kkijmm32.exe 2892 Kafbec32.exe 2892 Kafbec32.exe 1984 Keanebkb.exe 1984 Keanebkb.exe 1308 Kjnfniii.exe 1308 Kjnfniii.exe 1704 Kmmcjehm.exe 1704 Kmmcjehm.exe 2728 Kjqccigf.exe 2728 Kjqccigf.exe 1268 Kpmlkp32.exe 1268 Kpmlkp32.exe 2860 Kjcpii32.exe 2860 Kjcpii32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjpdcc32.dll Joplbl32.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Ljffag32.exe File created C:\Windows\SysWOW64\Lbfdaigg.exe Lccdel32.exe File created C:\Windows\SysWOW64\Kklcab32.dll Npagjpcd.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jfcnngnd.exe File opened for modification C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Obcccl32.exe File opened for modification C:\Windows\SysWOW64\Gpcmpijk.exe Gmdadnkh.exe File created C:\Windows\SysWOW64\Amfcikek.exe Anccmo32.exe File created C:\Windows\SysWOW64\Bfadgq32.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Chnqkg32.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Kkijmm32.exe File opened for modification C:\Windows\SysWOW64\Kmmcjehm.exe Kjnfniii.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kpmlkp32.exe File created C:\Windows\SysWOW64\Kbbngf32.exe Kocbkk32.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Mofglh32.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mpmapm32.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Leonofpp.exe File created C:\Windows\SysWOW64\Olpdjf32.exe Ojahnj32.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Hgjefg32.exe Hdlhjl32.exe File created C:\Windows\SysWOW64\Lghjel32.exe Leimip32.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gfobbc32.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kbdklf32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Lmlhnagm.exe Lbfdaigg.exe File opened for modification C:\Windows\SysWOW64\Moanaiie.exe Mlcbenjb.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File opened for modification C:\Windows\SysWOW64\Nondgn32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ombapedi.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File created C:\Windows\SysWOW64\Jnmlhchd.exe Jjbpgd32.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kpmlkp32.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Nbfphc32.dll Fpngfgle.exe File created C:\Windows\SysWOW64\Kjqccigf.exe Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File created C:\Windows\SysWOW64\Ckafbbph.exe Chbjffad.exe File created C:\Windows\SysWOW64\Jbdonb32.exe Jnicmdli.exe File opened for modification C:\Windows\SysWOW64\Jiondcpk.exe Jofiln32.exe File created C:\Windows\SysWOW64\Ndpfkdmf.exe Naajoinb.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fepiimfg.exe File created C:\Windows\SysWOW64\Lnlmhpjh.dll Mhjbjopf.exe File created C:\Windows\SysWOW64\Jofiln32.exe Icpigm32.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Qpecfc32.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fepiimfg.exe File opened for modification C:\Windows\SysWOW64\Fcefji32.exe Fagjnn32.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Bpleef32.exe Bmmiij32.exe File created C:\Windows\SysWOW64\Nhiffc32.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Ombapedi.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pciifc32.exe File created C:\Windows\SysWOW64\Gfobbc32.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Gdmlko32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Gifhnpea.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5052 4988 WerFault.exe 384 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpngfgle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnopfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mencccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Ngnbgplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maiooo32.dll" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gljilnja.dll" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicieohp.dll" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll" Ngfflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkjko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Ckafbbph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpndnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldidkbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnilfo32.dll" Pmdjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojchmpcd.dll" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giicle32.dll" Hlngpjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgiom32.dll" Bbhela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qcbllb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2184 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2184 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2184 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2184 1264 69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe 28 PID 2184 wrote to memory of 2640 2184 Hpkjko32.exe 29 PID 2184 wrote to memory of 2640 2184 Hpkjko32.exe 29 PID 2184 wrote to memory of 2640 2184 Hpkjko32.exe 29 PID 2184 wrote to memory of 2640 2184 Hpkjko32.exe 29 PID 2640 wrote to memory of 2608 2640 Hicodd32.exe 30 PID 2640 wrote to memory of 2608 2640 Hicodd32.exe 30 PID 2640 wrote to memory of 2608 2640 Hicodd32.exe 30 PID 2640 wrote to memory of 2608 2640 Hicodd32.exe 30 PID 2608 wrote to memory of 2616 2608 Hlcgeo32.exe 31 PID 2608 wrote to memory of 2616 2608 Hlcgeo32.exe 31 PID 2608 wrote to memory of 2616 2608 Hlcgeo32.exe 31 PID 2608 wrote to memory of 2616 2608 Hlcgeo32.exe 31 PID 2616 wrote to memory of 2468 2616 Hgilchkf.exe 32 PID 2616 wrote to memory of 2468 2616 Hgilchkf.exe 32 PID 2616 wrote to memory of 2468 2616 Hgilchkf.exe 32 PID 2616 wrote to memory of 2468 2616 Hgilchkf.exe 32 PID 2468 wrote to memory of 2512 2468 Hjjddchg.exe 33 PID 2468 wrote to memory of 2512 2468 Hjjddchg.exe 33 PID 2468 wrote to memory of 2512 2468 Hjjddchg.exe 33 PID 2468 wrote to memory of 2512 2468 Hjjddchg.exe 33 PID 2512 wrote to memory of 2344 2512 Iaeiieeb.exe 34 PID 2512 wrote to memory of 2344 2512 Iaeiieeb.exe 34 PID 2512 wrote to memory of 2344 2512 Iaeiieeb.exe 34 PID 2512 wrote to memory of 2344 2512 Iaeiieeb.exe 34 PID 2344 wrote to memory of 1200 2344 Iknnbklc.exe 35 PID 2344 wrote to memory of 1200 2344 Iknnbklc.exe 35 PID 2344 wrote to memory of 1200 2344 Iknnbklc.exe 35 PID 2344 wrote to memory of 1200 2344 Iknnbklc.exe 35 PID 1200 wrote to memory of 2788 1200 Igdogl32.exe 36 PID 1200 wrote to memory of 2788 1200 Igdogl32.exe 36 PID 1200 wrote to memory of 2788 1200 Igdogl32.exe 36 PID 1200 wrote to memory of 2788 1200 Igdogl32.exe 36 PID 2788 wrote to memory of 1564 2788 Iqmcpahh.exe 37 PID 2788 wrote to memory of 1564 2788 Iqmcpahh.exe 37 PID 2788 wrote to memory of 1564 2788 Iqmcpahh.exe 37 PID 2788 wrote to memory of 1564 2788 Iqmcpahh.exe 37 PID 1564 wrote to memory of 1036 1564 Ijeghgoh.exe 38 PID 1564 wrote to memory of 1036 1564 Ijeghgoh.exe 38 PID 1564 wrote to memory of 1036 1564 Ijeghgoh.exe 38 PID 1564 wrote to memory of 1036 1564 Ijeghgoh.exe 38 PID 1036 wrote to memory of 1920 1036 Ijgdngmf.exe 39 PID 1036 wrote to memory of 1920 1036 Ijgdngmf.exe 39 PID 1036 wrote to memory of 1920 1036 Ijgdngmf.exe 39 PID 1036 wrote to memory of 1920 1036 Ijgdngmf.exe 39 PID 1920 wrote to memory of 1616 1920 Icpigm32.exe 40 PID 1920 wrote to memory of 1616 1920 Icpigm32.exe 40 PID 1920 wrote to memory of 1616 1920 Icpigm32.exe 40 PID 1920 wrote to memory of 1616 1920 Icpigm32.exe 40 PID 1616 wrote to memory of 304 1616 Jofiln32.exe 41 PID 1616 wrote to memory of 304 1616 Jofiln32.exe 41 PID 1616 wrote to memory of 304 1616 Jofiln32.exe 41 PID 1616 wrote to memory of 304 1616 Jofiln32.exe 41 PID 304 wrote to memory of 2384 304 Jiondcpk.exe 42 PID 304 wrote to memory of 2384 304 Jiondcpk.exe 42 PID 304 wrote to memory of 2384 304 Jiondcpk.exe 42 PID 304 wrote to memory of 2384 304 Jiondcpk.exe 42 PID 2384 wrote to memory of 2880 2384 Jfcnngnd.exe 43 PID 2384 wrote to memory of 2880 2384 Jfcnngnd.exe 43 PID 2384 wrote to memory of 2880 2384 Jfcnngnd.exe 43 PID 2384 wrote to memory of 2880 2384 Jfcnngnd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\69d6e76389083b6a3ff4868c8a8393543d193a1a953a4fbdc32743f951c78d48_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe33⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe34⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe35⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe36⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe39⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe40⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe41⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe43⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe46⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe47⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe48⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe49⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe51⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe53⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe55⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe56⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe59⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe61⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe63⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe64⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe66⤵PID:2236
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe68⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe69⤵PID:1096
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe70⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe71⤵PID:2064
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe72⤵PID:1068
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe73⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe74⤵PID:2052
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe75⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe77⤵PID:2828
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe78⤵PID:1544
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe79⤵PID:2792
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe81⤵PID:1932
-
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe82⤵
- Drops file in System32 directory
PID:656 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe83⤵PID:856
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe84⤵PID:1776
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe85⤵PID:644
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe86⤵PID:2140
-
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe87⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe88⤵PID:2068
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe89⤵PID:2968
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe92⤵PID:2504
-
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe93⤵PID:2576
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe95⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe96⤵PID:556
-
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe97⤵PID:348
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe98⤵PID:2872
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe99⤵PID:1312
-
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe100⤵PID:1820
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe102⤵PID:2924
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe103⤵PID:564
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe105⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe107⤵PID:2760
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe108⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe109⤵PID:1236
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe110⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe111⤵PID:1612
-
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe112⤵PID:1660
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe113⤵PID:2476
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe114⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe115⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe116⤵PID:2104
-
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe117⤵PID:2900
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe119⤵PID:2704
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe120⤵PID:2856
-
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe121⤵PID:2552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-