Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
972385da37ff824373093132880ce010_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
972385da37ff824373093132880ce010_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
972385da37ff824373093132880ce010_NeikiAnalytics.exe
-
Size
194KB
-
MD5
972385da37ff824373093132880ce010
-
SHA1
2777db7d8425e6158496975ba7c4c37dfc1b7b0e
-
SHA256
d22888ca82ff0dc8a13d187d924356a00406a6fa6142078b1753546fc1f42fcd
-
SHA512
d96924c1c5afedfff3587a1dd4a1193d433aac3c529a7f71f6c9454f943f854ab6d6e636da6ad850fe898a8c1b2ee3fd3f29b9beca01943c32473f5d15cd67e1
-
SSDEEP
6144:VZt++iWdSfUNRbCeKpNYxWlJ7mkD6pNY:Tt+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnnha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjifhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpngfgle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqemdbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncdgcqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmceigep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmpd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1808 Ambmpmln.exe 1728 Afkbib32.exe 2620 Aoffmd32.exe 2660 Ahokfj32.exe 2780 Bagpopmj.exe 2624 Bkodhe32.exe 2632 Beehencq.exe 296 Bkaqmeah.exe 1960 Bhfagipa.exe 2792 Banepo32.exe 1976 Bdlblj32.exe 1444 Cjlgiqbk.exe 2160 Cdakgibq.exe 2348 Chemfl32.exe 2856 Cfinoq32.exe 992 Clcflkic.exe 1896 Dgmglh32.exe 852 Dhmcfkme.exe 1676 Dgodbh32.exe 1640 Dqhhknjp.exe 2968 Ddcdkl32.exe 2956 Dgdmmgpj.exe 1740 Dcknbh32.exe 2148 Eqonkmdh.exe 1288 Ecmkghcl.exe 1684 Epdkli32.exe 2072 Ecpgmhai.exe 896 Eeqdep32.exe 2708 Eecqjpee.exe 2712 Epieghdk.exe 2752 Eajaoq32.exe 2560 Egdilkbf.exe 2576 Eloemi32.exe 2332 Fhffaj32.exe 1648 Fjdbnf32.exe 2488 Fmcoja32.exe 1964 Fcmgfkeg.exe 2008 Fmekoalh.exe 2440 Fpdhklkl.exe 2552 Fjilieka.exe 1580 Ffpmnf32.exe 2452 Fmjejphb.exe 1008 Fiaeoang.exe 1608 Gpknlk32.exe 1804 Gbijhg32.exe 404 Gegfdb32.exe 1144 Gangic32.exe 1392 Ghhofmql.exe 740 Gkgkbipp.exe 800 Gdopkn32.exe 1284 Glfhll32.exe 1752 Goddhg32.exe 1668 Gacpdbej.exe 2076 Geolea32.exe 2788 Ggpimica.exe 2640 Gmjaic32.exe 2748 Gddifnbk.exe 2808 Hiqbndpb.exe 2512 Hmlnoc32.exe 1440 Hpkjko32.exe 1224 Hgdbhi32.exe 2012 Hicodd32.exe 1488 Hdhbam32.exe 2412 Hggomh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 1808 Ambmpmln.exe 1808 Ambmpmln.exe 1728 Afkbib32.exe 1728 Afkbib32.exe 2620 Aoffmd32.exe 2620 Aoffmd32.exe 2660 Ahokfj32.exe 2660 Ahokfj32.exe 2780 Bagpopmj.exe 2780 Bagpopmj.exe 2624 Bkodhe32.exe 2624 Bkodhe32.exe 2632 Beehencq.exe 2632 Beehencq.exe 296 Bkaqmeah.exe 296 Bkaqmeah.exe 1960 Bhfagipa.exe 1960 Bhfagipa.exe 2792 Banepo32.exe 2792 Banepo32.exe 1976 Bdlblj32.exe 1976 Bdlblj32.exe 1444 Cjlgiqbk.exe 1444 Cjlgiqbk.exe 2160 Cdakgibq.exe 2160 Cdakgibq.exe 2348 Chemfl32.exe 2348 Chemfl32.exe 2856 Cfinoq32.exe 2856 Cfinoq32.exe 992 Clcflkic.exe 992 Clcflkic.exe 1896 Dgmglh32.exe 1896 Dgmglh32.exe 852 Dhmcfkme.exe 852 Dhmcfkme.exe 1676 Dgodbh32.exe 1676 Dgodbh32.exe 1640 Dqhhknjp.exe 1640 Dqhhknjp.exe 2968 Ddcdkl32.exe 2968 Ddcdkl32.exe 2956 Dgdmmgpj.exe 2956 Dgdmmgpj.exe 1740 Dcknbh32.exe 1740 Dcknbh32.exe 2148 Eqonkmdh.exe 2148 Eqonkmdh.exe 1288 Ecmkghcl.exe 1288 Ecmkghcl.exe 1684 Epdkli32.exe 1684 Epdkli32.exe 2072 Ecpgmhai.exe 2072 Ecpgmhai.exe 896 Eeqdep32.exe 896 Eeqdep32.exe 2708 Eecqjpee.exe 2708 Eecqjpee.exe 2712 Epieghdk.exe 2712 Epieghdk.exe 2752 Eajaoq32.exe 2752 Eajaoq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Ndemjoae.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Ihdkao32.exe File created C:\Windows\SysWOW64\Gdchio32.dll Mmceigep.exe File created C:\Windows\SysWOW64\Meppiblm.exe Mofglh32.exe File created C:\Windows\SysWOW64\Fibkpd32.dll Nkpegi32.exe File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Joifam32.exe Jqfffqpm.exe File opened for modification C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File created C:\Windows\SysWOW64\Njgcpp32.dll Geolea32.exe File opened for modification C:\Windows\SysWOW64\Omfkke32.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Cdbdjhmp.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cdikkg32.exe File created C:\Windows\SysWOW64\Eajaoq32.exe Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kafbec32.exe File created C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File opened for modification C:\Windows\SysWOW64\Kebgia32.exe Kbdklf32.exe File created C:\Windows\SysWOW64\Pjpnbg32.exe Pgbafl32.exe File created C:\Windows\SysWOW64\Pqhmfm32.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Aipddi32.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Jghmfhmb.exe Joaeeklp.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Keanebkb.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe Achojp32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Meppiblm.exe File opened for modification C:\Windows\SysWOW64\Oalfhf32.exe Oomjlk32.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Chfpgj32.dll Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Piphee32.exe File opened for modification C:\Windows\SysWOW64\Ikfmfi32.exe Ihgainbg.exe File opened for modification C:\Windows\SysWOW64\Jhljdm32.exe Jfnnha32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Flgeqgog.exe Fiihdlpc.exe File opened for modification C:\Windows\SysWOW64\Mkhofjoj.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Mmneda32.exe Lfdmggnm.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jkbcln32.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Ekelld32.exe File created C:\Windows\SysWOW64\Najgne32.dll Eqijej32.exe File opened for modification C:\Windows\SysWOW64\Qgmdjp32.exe Qeohnd32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File created C:\Windows\SysWOW64\Ehllae32.dll Ikpjgkjq.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mbkmlh32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Emfmdo32.dll Aaheie32.exe File created C:\Windows\SysWOW64\Plgifc32.dll Agfgqo32.exe File created C:\Windows\SysWOW64\Caknol32.exe Ckafbbph.exe File created C:\Windows\SysWOW64\Iqapllgh.dll Gpqpjj32.exe File created C:\Windows\SysWOW64\Ehdqecfo.dll Gepehphc.exe File created C:\Windows\SysWOW64\Egnhob32.dll Nmnace32.exe File created C:\Windows\SysWOW64\Gapiomln.dll Jgnamk32.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Kpbbidem.dll Nhfipcid.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Kgnnln32.exe Keoapb32.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fhneehek.exe File opened for modification C:\Windows\SysWOW64\Jdbkjn32.exe Jbdonb32.exe File opened for modification C:\Windows\SysWOW64\Lhbcfa32.exe Lecgje32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6472 6448 WerFault.exe 608 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiaak32.dll" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjadmnic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Olpdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdcpnkh.dll" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmkghcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhaqogk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcegmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmokmik.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kcihlong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mponel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqemdbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhkjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfqpega.dll" Jchhkjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbghho.dll" Gakcimgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djhphncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjejlhlg.dll" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll" Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcibkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gebbnpfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lefdpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpqpjj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 1808 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 1808 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 1808 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 1808 2888 972385da37ff824373093132880ce010_NeikiAnalytics.exe 29 PID 1808 wrote to memory of 1728 1808 Ambmpmln.exe 30 PID 1808 wrote to memory of 1728 1808 Ambmpmln.exe 30 PID 1808 wrote to memory of 1728 1808 Ambmpmln.exe 30 PID 1808 wrote to memory of 1728 1808 Ambmpmln.exe 30 PID 1728 wrote to memory of 2620 1728 Afkbib32.exe 31 PID 1728 wrote to memory of 2620 1728 Afkbib32.exe 31 PID 1728 wrote to memory of 2620 1728 Afkbib32.exe 31 PID 1728 wrote to memory of 2620 1728 Afkbib32.exe 31 PID 2620 wrote to memory of 2660 2620 Aoffmd32.exe 32 PID 2620 wrote to memory of 2660 2620 Aoffmd32.exe 32 PID 2620 wrote to memory of 2660 2620 Aoffmd32.exe 32 PID 2620 wrote to memory of 2660 2620 Aoffmd32.exe 32 PID 2660 wrote to memory of 2780 2660 Ahokfj32.exe 33 PID 2660 wrote to memory of 2780 2660 Ahokfj32.exe 33 PID 2660 wrote to memory of 2780 2660 Ahokfj32.exe 33 PID 2660 wrote to memory of 2780 2660 Ahokfj32.exe 33 PID 2780 wrote to memory of 2624 2780 Bagpopmj.exe 34 PID 2780 wrote to memory of 2624 2780 Bagpopmj.exe 34 PID 2780 wrote to memory of 2624 2780 Bagpopmj.exe 34 PID 2780 wrote to memory of 2624 2780 Bagpopmj.exe 34 PID 2624 wrote to memory of 2632 2624 Bkodhe32.exe 35 PID 2624 wrote to memory of 2632 2624 Bkodhe32.exe 35 PID 2624 wrote to memory of 2632 2624 Bkodhe32.exe 35 PID 2624 wrote to memory of 2632 2624 Bkodhe32.exe 35 PID 2632 wrote to memory of 296 2632 Beehencq.exe 36 PID 2632 wrote to memory of 296 2632 Beehencq.exe 36 PID 2632 wrote to memory of 296 2632 Beehencq.exe 36 PID 2632 wrote to memory of 296 2632 Beehencq.exe 36 PID 296 wrote to memory of 1960 296 Bkaqmeah.exe 37 PID 296 wrote to memory of 1960 296 Bkaqmeah.exe 37 PID 296 wrote to memory of 1960 296 Bkaqmeah.exe 37 PID 296 wrote to memory of 1960 296 Bkaqmeah.exe 37 PID 1960 wrote to memory of 2792 1960 Bhfagipa.exe 38 PID 1960 wrote to memory of 2792 1960 Bhfagipa.exe 38 PID 1960 wrote to memory of 2792 1960 Bhfagipa.exe 38 PID 1960 wrote to memory of 2792 1960 Bhfagipa.exe 38 PID 2792 wrote to memory of 1976 2792 Banepo32.exe 39 PID 2792 wrote to memory of 1976 2792 Banepo32.exe 39 PID 2792 wrote to memory of 1976 2792 Banepo32.exe 39 PID 2792 wrote to memory of 1976 2792 Banepo32.exe 39 PID 1976 wrote to memory of 1444 1976 Bdlblj32.exe 40 PID 1976 wrote to memory of 1444 1976 Bdlblj32.exe 40 PID 1976 wrote to memory of 1444 1976 Bdlblj32.exe 40 PID 1976 wrote to memory of 1444 1976 Bdlblj32.exe 40 PID 1444 wrote to memory of 2160 1444 Cjlgiqbk.exe 41 PID 1444 wrote to memory of 2160 1444 Cjlgiqbk.exe 41 PID 1444 wrote to memory of 2160 1444 Cjlgiqbk.exe 41 PID 1444 wrote to memory of 2160 1444 Cjlgiqbk.exe 41 PID 2160 wrote to memory of 2348 2160 Cdakgibq.exe 42 PID 2160 wrote to memory of 2348 2160 Cdakgibq.exe 42 PID 2160 wrote to memory of 2348 2160 Cdakgibq.exe 42 PID 2160 wrote to memory of 2348 2160 Cdakgibq.exe 42 PID 2348 wrote to memory of 2856 2348 Chemfl32.exe 43 PID 2348 wrote to memory of 2856 2348 Chemfl32.exe 43 PID 2348 wrote to memory of 2856 2348 Chemfl32.exe 43 PID 2348 wrote to memory of 2856 2348 Chemfl32.exe 43 PID 2856 wrote to memory of 992 2856 Cfinoq32.exe 44 PID 2856 wrote to memory of 992 2856 Cfinoq32.exe 44 PID 2856 wrote to memory of 992 2856 Cfinoq32.exe 44 PID 2856 wrote to memory of 992 2856 Cfinoq32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\972385da37ff824373093132880ce010_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\972385da37ff824373093132880ce010_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe33⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe35⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe36⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe37⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe38⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe40⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe41⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe42⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe43⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe46⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe47⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe48⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe49⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe51⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe52⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe53⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe54⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe57⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe58⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe61⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe62⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe63⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe65⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe66⤵PID:2328
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe67⤵PID:588
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe68⤵PID:1852
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe69⤵PID:600
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe70⤵PID:1520
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe71⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe72⤵PID:2872
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe73⤵
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe75⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe78⤵PID:2044
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe79⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe80⤵PID:2232
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe81⤵PID:1616
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe82⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe83⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe84⤵PID:2468
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe85⤵PID:348
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe86⤵PID:832
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe88⤵PID:1792
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe89⤵PID:1332
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe90⤵PID:2356
-
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe91⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe92⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe93⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe94⤵PID:2944
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe95⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe97⤵PID:1516
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe98⤵PID:2900
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe99⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe100⤵PID:2276
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe101⤵PID:1856
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe102⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe103⤵PID:2384
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe104⤵PID:2128
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe105⤵PID:1612
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe106⤵PID:2080
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe108⤵PID:1572
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe109⤵
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe110⤵PID:2692
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe111⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe112⤵PID:2516
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe113⤵PID:2532
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe114⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe115⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe116⤵PID:1312
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe119⤵PID:1096
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe120⤵PID:892
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe121⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-