Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe
-
Size
96KB
-
MD5
54bf989fbd8df995d3d332bf6ea48700
-
SHA1
98be45d0a17a236f5ff82eedb84038f19c2af7b6
-
SHA256
b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21
-
SHA512
6cce102370381e47501c5b56ba40c74eca25240e2ebb3216b30f3ba076d43c4d502c4d4ed3be11c163f7e9fe45ad412239dd16f259dd085d5af5540dfede0fa7
-
SSDEEP
1536:RbIXfmtSas31GfTE6r3WRdLntnGIM8u2LwaIZTJ+7LhkiB0MPiKeEAgH:Rb9Bs31CDWLLntnGIM8zwaMU7uihJ5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpeifeca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjdbcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafidiio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnneja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipjejgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfccn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 Kpcpbb32.exe 2520 Kjhdokbo.exe 2568 Kmgpkfab.exe 2532 Kpemgbqf.exe 2584 Kfoedl32.exe 2468 Kmimafop.exe 2328 Knjiin32.exe 2656 Kipnfged.exe 2772 Komfnnck.exe 1944 Kakbjibo.exe 280 Kibjkgca.exe 320 Kjcgco32.exe 1556 Keikqhhe.exe 2088 Loapim32.exe 2052 Lekhfgfc.exe 1032 Lhjdbcef.exe 2788 Lmgmjjdn.exe 1468 Lpeifeca.exe 1100 Limmokib.exe 2148 Lmiipi32.exe 1300 Ldcamcih.exe 1848 Lganiohl.exe 2160 Lipjejgp.exe 1680 Lpjbad32.exe 344 Lgdjnofi.exe 2224 Libgjj32.exe 2712 Llqcfe32.exe 2452 Midcpj32.exe 2460 Mhgclfje.exe 2492 Mcmhiojk.exe 1596 Maphdl32.exe 2620 Mlelaeqk.exe 2764 Mcodno32.exe 1928 Mabejlob.exe 2188 Mdqafgnf.exe 1336 Mlgigdoh.exe 1504 Madapkmp.exe 1268 Mepnpj32.exe 2796 Mhnjle32.exe 2164 Mkmfhacp.exe 1412 Magnek32.exe 1752 Mpjoqhah.exe 2236 Mdejaf32.exe 2668 Mgcgmb32.exe 1872 Mkobnqan.exe 3064 Nnnojlpa.exe 1548 Naikkk32.exe 2028 Nplkfgoe.exe 612 Ncjgbcoi.exe 2700 Ngfcca32.exe 2560 Njdpomfe.exe 2552 Nnplpl32.exe 2448 Nlblkhei.exe 2908 Ndjdlffl.exe 2404 Nghphaeo.exe 2592 Nghphaeo.exe 1956 Njgldmdc.exe 2304 Nleiqhcg.exe 1012 Nqqdag32.exe 836 Nocemcbj.exe 2808 Ngkmnacm.exe 2260 Njiijlbp.exe 676 Nhlifi32.exe 2856 Nqcagfim.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 2824 Kpcpbb32.exe 2824 Kpcpbb32.exe 2520 Kjhdokbo.exe 2520 Kjhdokbo.exe 2568 Kmgpkfab.exe 2568 Kmgpkfab.exe 2532 Kpemgbqf.exe 2532 Kpemgbqf.exe 2584 Kfoedl32.exe 2584 Kfoedl32.exe 2468 Kmimafop.exe 2468 Kmimafop.exe 2328 Knjiin32.exe 2328 Knjiin32.exe 2656 Kipnfged.exe 2656 Kipnfged.exe 2772 Komfnnck.exe 2772 Komfnnck.exe 1944 Kakbjibo.exe 1944 Kakbjibo.exe 280 Kibjkgca.exe 280 Kibjkgca.exe 320 Kjcgco32.exe 320 Kjcgco32.exe 1556 Keikqhhe.exe 1556 Keikqhhe.exe 2088 Loapim32.exe 2088 Loapim32.exe 2052 Lekhfgfc.exe 2052 Lekhfgfc.exe 1032 Lhjdbcef.exe 1032 Lhjdbcef.exe 2788 Lmgmjjdn.exe 2788 Lmgmjjdn.exe 1468 Lpeifeca.exe 1468 Lpeifeca.exe 1100 Limmokib.exe 1100 Limmokib.exe 2148 Lmiipi32.exe 2148 Lmiipi32.exe 1300 Ldcamcih.exe 1300 Ldcamcih.exe 1848 Lganiohl.exe 1848 Lganiohl.exe 2160 Lipjejgp.exe 2160 Lipjejgp.exe 1680 Lpjbad32.exe 1680 Lpjbad32.exe 344 Lgdjnofi.exe 344 Lgdjnofi.exe 2224 Libgjj32.exe 2224 Libgjj32.exe 2712 Llqcfe32.exe 2712 Llqcfe32.exe 2452 Midcpj32.exe 2452 Midcpj32.exe 2460 Mhgclfje.exe 2460 Mhgclfje.exe 2492 Mcmhiojk.exe 2492 Mcmhiojk.exe 1596 Maphdl32.exe 1596 Maphdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File opened for modification C:\Windows\SysWOW64\Pgplkb32.exe Pimkpfeh.exe File opened for modification C:\Windows\SysWOW64\Ojficpfn.exe Oghlgdgk.exe File created C:\Windows\SysWOW64\Ekchhcnp.dll Pphjgfqq.exe File created C:\Windows\SysWOW64\Necfoajd.dll Oclilp32.exe File created C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Nleiqhcg.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Onmjak32.dll Ojahnj32.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Illjbiak.dll Efaibbij.exe File created C:\Windows\SysWOW64\Odifpn32.dll Njiijlbp.exe File opened for modification C:\Windows\SysWOW64\Pfiidobe.exe Pnbacbac.exe File created C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Dkjgaecj.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Echfaf32.exe Echfaf32.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Piehkkcl.exe File created C:\Windows\SysWOW64\Mlelaeqk.exe Maphdl32.exe File opened for modification C:\Windows\SysWOW64\Cfinoq32.exe Cbnbobin.exe File created C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cdlgpgef.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Cbhkgk32.dll Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Qjmkcbcb.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eecqjpee.exe File created C:\Windows\SysWOW64\Aloeodfi.dll Ffpmnf32.exe File created C:\Windows\SysWOW64\Lckdanld.exe Lpphap32.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Nglknl32.dll Qcpofbjl.exe File created C:\Windows\SysWOW64\Pnbacbac.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Qeqbkkej.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Ojolhk32.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Ngkmnacm.exe Nocemcbj.exe File opened for modification C:\Windows\SysWOW64\Cgpgce32.exe Cdakgibq.exe File opened for modification C:\Windows\SysWOW64\Kgbggnhc.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Mhgclfje.exe Midcpj32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kafbec32.exe File created C:\Windows\SysWOW64\Mcmhiojk.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Njiijlbp.exe Ngkmnacm.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Igdogl32.exe File opened for modification C:\Windows\SysWOW64\Onmddnil.dll Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Kakbjibo.exe Komfnnck.exe File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ocimgp32.exe Oqkqkdne.exe File opened for modification C:\Windows\SysWOW64\Afiecb32.exe Adjigg32.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gejcjbah.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dccagcgk.exe File created C:\Windows\SysWOW64\Eqgnokip.exe Emkaol32.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Bbdocc32.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qcbllb32.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File created C:\Windows\SysWOW64\Hbkdjjal.dll Paggai32.exe File created C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7204 7180 WerFault.exe 721 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hnagjbdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpdbloof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baoohhdn.dll" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mkgfckcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpknpme.dll" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkiklhim.dll" Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dgdmmgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphcda32.dll" Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiich32.dll" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcijc32.dll" Kmopod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlcbpdk.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjdlffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkece32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhela32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2824 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 28 PID 2500 wrote to memory of 2824 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 28 PID 2500 wrote to memory of 2824 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 28 PID 2500 wrote to memory of 2824 2500 b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe 28 PID 2824 wrote to memory of 2520 2824 Kpcpbb32.exe 29 PID 2824 wrote to memory of 2520 2824 Kpcpbb32.exe 29 PID 2824 wrote to memory of 2520 2824 Kpcpbb32.exe 29 PID 2824 wrote to memory of 2520 2824 Kpcpbb32.exe 29 PID 2520 wrote to memory of 2568 2520 Kjhdokbo.exe 30 PID 2520 wrote to memory of 2568 2520 Kjhdokbo.exe 30 PID 2520 wrote to memory of 2568 2520 Kjhdokbo.exe 30 PID 2520 wrote to memory of 2568 2520 Kjhdokbo.exe 30 PID 2568 wrote to memory of 2532 2568 Kmgpkfab.exe 31 PID 2568 wrote to memory of 2532 2568 Kmgpkfab.exe 31 PID 2568 wrote to memory of 2532 2568 Kmgpkfab.exe 31 PID 2568 wrote to memory of 2532 2568 Kmgpkfab.exe 31 PID 2532 wrote to memory of 2584 2532 Kpemgbqf.exe 32 PID 2532 wrote to memory of 2584 2532 Kpemgbqf.exe 32 PID 2532 wrote to memory of 2584 2532 Kpemgbqf.exe 32 PID 2532 wrote to memory of 2584 2532 Kpemgbqf.exe 32 PID 2584 wrote to memory of 2468 2584 Kfoedl32.exe 33 PID 2584 wrote to memory of 2468 2584 Kfoedl32.exe 33 PID 2584 wrote to memory of 2468 2584 Kfoedl32.exe 33 PID 2584 wrote to memory of 2468 2584 Kfoedl32.exe 33 PID 2468 wrote to memory of 2328 2468 Kmimafop.exe 34 PID 2468 wrote to memory of 2328 2468 Kmimafop.exe 34 PID 2468 wrote to memory of 2328 2468 Kmimafop.exe 34 PID 2468 wrote to memory of 2328 2468 Kmimafop.exe 34 PID 2328 wrote to memory of 2656 2328 Knjiin32.exe 35 PID 2328 wrote to memory of 2656 2328 Knjiin32.exe 35 PID 2328 wrote to memory of 2656 2328 Knjiin32.exe 35 PID 2328 wrote to memory of 2656 2328 Knjiin32.exe 35 PID 2656 wrote to memory of 2772 2656 Kipnfged.exe 36 PID 2656 wrote to memory of 2772 2656 Kipnfged.exe 36 PID 2656 wrote to memory of 2772 2656 Kipnfged.exe 36 PID 2656 wrote to memory of 2772 2656 Kipnfged.exe 36 PID 2772 wrote to memory of 1944 2772 Komfnnck.exe 37 PID 2772 wrote to memory of 1944 2772 Komfnnck.exe 37 PID 2772 wrote to memory of 1944 2772 Komfnnck.exe 37 PID 2772 wrote to memory of 1944 2772 Komfnnck.exe 37 PID 1944 wrote to memory of 280 1944 Kakbjibo.exe 38 PID 1944 wrote to memory of 280 1944 Kakbjibo.exe 38 PID 1944 wrote to memory of 280 1944 Kakbjibo.exe 38 PID 1944 wrote to memory of 280 1944 Kakbjibo.exe 38 PID 280 wrote to memory of 320 280 Kibjkgca.exe 39 PID 280 wrote to memory of 320 280 Kibjkgca.exe 39 PID 280 wrote to memory of 320 280 Kibjkgca.exe 39 PID 280 wrote to memory of 320 280 Kibjkgca.exe 39 PID 320 wrote to memory of 1556 320 Kjcgco32.exe 40 PID 320 wrote to memory of 1556 320 Kjcgco32.exe 40 PID 320 wrote to memory of 1556 320 Kjcgco32.exe 40 PID 320 wrote to memory of 1556 320 Kjcgco32.exe 40 PID 1556 wrote to memory of 2088 1556 Keikqhhe.exe 41 PID 1556 wrote to memory of 2088 1556 Keikqhhe.exe 41 PID 1556 wrote to memory of 2088 1556 Keikqhhe.exe 41 PID 1556 wrote to memory of 2088 1556 Keikqhhe.exe 41 PID 2088 wrote to memory of 2052 2088 Loapim32.exe 42 PID 2088 wrote to memory of 2052 2088 Loapim32.exe 42 PID 2088 wrote to memory of 2052 2088 Loapim32.exe 42 PID 2088 wrote to memory of 2052 2088 Loapim32.exe 42 PID 2052 wrote to memory of 1032 2052 Lekhfgfc.exe 43 PID 2052 wrote to memory of 1032 2052 Lekhfgfc.exe 43 PID 2052 wrote to memory of 1032 2052 Lekhfgfc.exe 43 PID 2052 wrote to memory of 1032 2052 Lekhfgfc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b69023d7ebc7884dcfeab89dc95d3467902f53c29aa44ed7b89f39400358bb21_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:344 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe34⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe36⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe37⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe38⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe39⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe40⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe41⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe42⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe45⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe46⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe47⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe49⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe50⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe51⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe54⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe56⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe59⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe60⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe64⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe65⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe66⤵PID:2256
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe67⤵PID:1000
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe68⤵PID:1704
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe69⤵PID:1880
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe70⤵PID:2868
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe71⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe73⤵PID:2748
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe74⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe75⤵PID:2536
-
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe76⤵PID:2596
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe78⤵PID:1960
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe79⤵PID:1996
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe80⤵PID:2180
-
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe81⤵PID:2896
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe82⤵PID:1984
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe84⤵PID:564
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe85⤵PID:1676
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe88⤵PID:2124
-
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe89⤵PID:380
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe90⤵PID:2572
-
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe91⤵PID:2588
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe92⤵PID:2432
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe93⤵PID:2948
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe94⤵PID:2648
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe95⤵PID:1936
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe96⤵PID:2204
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe97⤵PID:2184
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe98⤵PID:1904
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe100⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe101⤵PID:2264
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe102⤵PID:1700
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe103⤵PID:1248
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe104⤵PID:1660
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe105⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe106⤵PID:2548
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe107⤵PID:2416
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe108⤵PID:1992
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe109⤵PID:2724
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe110⤵PID:1780
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe111⤵PID:1632
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe113⤵PID:2084
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe114⤵PID:756
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe116⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe118⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe119⤵PID:1636
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe120⤵PID:2616
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe121⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-