Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 14:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe
-
Size
78KB
-
MD5
05342398ea26d530d939c7dfd69d6090
-
SHA1
dd85dadab0198e77056704c7ae5b0ba3d222cc54
-
SHA256
49803bdee0eaa2b554e7defe3c708e460f80972b08dfb05fef432dd6a84744d9
-
SHA512
1e279cedb1e9c4f491f3a46b619e97252dc1f82b1626a1c26505f78d34e8cbd63a124516879f0fe767595dfa4240059f32c1fab3c404c418d271faa595b34bad
-
SSDEEP
1536:rONNIU3kE7hClcTZPWriNTpTaXRat09sI//2iL6yf5oAnqDM+4yyF:SNNvplu9sI//2iLCuq4cyF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnqphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpfkqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdkao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdajkkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgljbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe -
Executes dropped EXE 64 IoCs
pid Process 1660 Bnpmipql.exe 2564 Bkdmcdoe.exe 2840 Bopicc32.exe 2620 Bdooajdc.exe 2628 Cgmkmecg.exe 2580 Cngcjo32.exe 2476 Ccdlbf32.exe 2756 Cllpkl32.exe 2792 Coklgg32.exe 1888 Cjpqdp32.exe 1932 Comimg32.exe 1676 Cfgaiaci.exe 1608 Ckdjbh32.exe 2228 Cbnbobin.exe 1416 Cdlnkmha.exe 816 Cndbcc32.exe 2240 Ddokpmfo.exe 3068 Dgmglh32.exe 1256 Dqelenlc.exe 1840 Dgodbh32.exe 1768 Dbehoa32.exe 888 Dkmmhf32.exe 1948 Djpmccqq.exe 572 Ddeaalpg.exe 376 Dfgmhd32.exe 2960 Dqlafm32.exe 1528 Dfijnd32.exe 3052 Eqonkmdh.exe 2716 Eijcpoac.exe 2740 Emeopn32.exe 2680 Epdkli32.exe 2368 Emhlfmgj.exe 2948 Enihne32.exe 2448 Eiomkn32.exe 1940 Elmigj32.exe 1216 Eeempocb.exe 2152 Fhffaj32.exe 344 Fjdbnf32.exe 1572 Fhhcgj32.exe 1688 Fnbkddem.exe 2252 Faagpp32.exe 1912 Ffnphf32.exe 2012 Filldb32.exe 2412 Ffpmnf32.exe 1240 Fioija32.exe 776 Fphafl32.exe 704 Fiaeoang.exe 1252 Gpknlk32.exe 2988 Gbijhg32.exe 2892 Gegfdb32.exe 2136 Ghfbqn32.exe 2824 Glaoalkh.exe 2664 Gopkmhjk.exe 2604 Gejcjbah.exe 2336 Gkgkbipp.exe 2480 Gaqcoc32.exe 2536 Gelppaof.exe 1636 Ghkllmoi.exe 2760 Gkihhhnm.exe 1744 Gacpdbej.exe 2184 Geolea32.exe 1008 Ghmiam32.exe 1904 Gkkemh32.exe 1424 Gaemjbcg.exe -
Loads dropped DLL 64 IoCs
pid Process 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 1660 Bnpmipql.exe 1660 Bnpmipql.exe 2564 Bkdmcdoe.exe 2564 Bkdmcdoe.exe 2840 Bopicc32.exe 2840 Bopicc32.exe 2620 Bdooajdc.exe 2620 Bdooajdc.exe 2628 Cgmkmecg.exe 2628 Cgmkmecg.exe 2580 Cngcjo32.exe 2580 Cngcjo32.exe 2476 Ccdlbf32.exe 2476 Ccdlbf32.exe 2756 Cllpkl32.exe 2756 Cllpkl32.exe 2792 Coklgg32.exe 2792 Coklgg32.exe 1888 Cjpqdp32.exe 1888 Cjpqdp32.exe 1932 Comimg32.exe 1932 Comimg32.exe 1676 Cfgaiaci.exe 1676 Cfgaiaci.exe 1608 Ckdjbh32.exe 1608 Ckdjbh32.exe 2228 Cbnbobin.exe 2228 Cbnbobin.exe 1416 Cdlnkmha.exe 1416 Cdlnkmha.exe 816 Cndbcc32.exe 816 Cndbcc32.exe 2240 Ddokpmfo.exe 2240 Ddokpmfo.exe 3068 Dgmglh32.exe 3068 Dgmglh32.exe 1256 Dqelenlc.exe 1256 Dqelenlc.exe 1840 Dgodbh32.exe 1840 Dgodbh32.exe 1768 Dbehoa32.exe 1768 Dbehoa32.exe 888 Dkmmhf32.exe 888 Dkmmhf32.exe 1948 Djpmccqq.exe 1948 Djpmccqq.exe 572 Ddeaalpg.exe 572 Ddeaalpg.exe 376 Dfgmhd32.exe 376 Dfgmhd32.exe 2960 Dqlafm32.exe 2960 Dqlafm32.exe 1528 Dfijnd32.exe 1528 Dfijnd32.exe 3052 Eqonkmdh.exe 3052 Eqonkmdh.exe 2716 Eijcpoac.exe 2716 Eijcpoac.exe 2740 Emeopn32.exe 2740 Emeopn32.exe 2680 Epdkli32.exe 2680 Epdkli32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hepmggig.dll Hnojdcfi.exe File opened for modification C:\Windows\SysWOW64\Cllpkl32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Gadkgl32.dll Eeempocb.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Dfijnd32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Epdkli32.exe File created C:\Windows\SysWOW64\Ojchmpcd.dll Joifam32.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Nhfipcid.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Cfgaiaci.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nhdlkdkg.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Njlockkm.exe File opened for modification C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File created C:\Windows\SysWOW64\Joifam32.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Bdgafdfp.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Idklfpon.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kfbkmk32.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe File created C:\Windows\SysWOW64\Nceclqan.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Qedhdjnh.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Ebmgcohn.exe Enakbp32.exe File created C:\Windows\SysWOW64\Cgcmfjnn.dll Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Kkgmgmfd.exe Kihqkagp.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Ncgdbmmp.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Njlockkm.exe File created C:\Windows\SysWOW64\Cgmkmecg.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kkijmm32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Fioija32.exe File opened for modification C:\Windows\SysWOW64\Qcpofbjl.exe Qabcjgkh.exe File opened for modification C:\Windows\SysWOW64\Igkdgk32.exe Idmhkpml.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Ckjpacfp.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hlcgeo32.exe File created C:\Windows\SysWOW64\Hgeegb32.dll Mhdplq32.exe File created C:\Windows\SysWOW64\Mpfkqb32.exe Mimbdhhb.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Okgnab32.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kpkofpgq.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Nkbhgojk.exe Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Ffpmnf32.exe File created C:\Windows\SysWOW64\Llfifq32.exe Lemaif32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Ejobhppq.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Qfokbnip.exe Qcpofbjl.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Jiakjb32.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Papfegmk.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qfokbnip.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Iggkllpe.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4940 4916 WerFault.exe 363 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maodqp32.dll" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konojnki.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlhmj32.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoghjmf.dll" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimbdhhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjfoqkg.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqmbdn32.dll" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmddnil.dll" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnnggjm.dll" Joplbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjidgghp.dll" Dknekeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mihiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnclh32.dll" Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Ncgdbmmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1660 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 28 PID 2432 wrote to memory of 1660 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 28 PID 2432 wrote to memory of 1660 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 28 PID 2432 wrote to memory of 1660 2432 05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe 28 PID 1660 wrote to memory of 2564 1660 Bnpmipql.exe 29 PID 1660 wrote to memory of 2564 1660 Bnpmipql.exe 29 PID 1660 wrote to memory of 2564 1660 Bnpmipql.exe 29 PID 1660 wrote to memory of 2564 1660 Bnpmipql.exe 29 PID 2564 wrote to memory of 2840 2564 Bkdmcdoe.exe 30 PID 2564 wrote to memory of 2840 2564 Bkdmcdoe.exe 30 PID 2564 wrote to memory of 2840 2564 Bkdmcdoe.exe 30 PID 2564 wrote to memory of 2840 2564 Bkdmcdoe.exe 30 PID 2840 wrote to memory of 2620 2840 Bopicc32.exe 31 PID 2840 wrote to memory of 2620 2840 Bopicc32.exe 31 PID 2840 wrote to memory of 2620 2840 Bopicc32.exe 31 PID 2840 wrote to memory of 2620 2840 Bopicc32.exe 31 PID 2620 wrote to memory of 2628 2620 Bdooajdc.exe 32 PID 2620 wrote to memory of 2628 2620 Bdooajdc.exe 32 PID 2620 wrote to memory of 2628 2620 Bdooajdc.exe 32 PID 2620 wrote to memory of 2628 2620 Bdooajdc.exe 32 PID 2628 wrote to memory of 2580 2628 Cgmkmecg.exe 33 PID 2628 wrote to memory of 2580 2628 Cgmkmecg.exe 33 PID 2628 wrote to memory of 2580 2628 Cgmkmecg.exe 33 PID 2628 wrote to memory of 2580 2628 Cgmkmecg.exe 33 PID 2580 wrote to memory of 2476 2580 Cngcjo32.exe 34 PID 2580 wrote to memory of 2476 2580 Cngcjo32.exe 34 PID 2580 wrote to memory of 2476 2580 Cngcjo32.exe 34 PID 2580 wrote to memory of 2476 2580 Cngcjo32.exe 34 PID 2476 wrote to memory of 2756 2476 Ccdlbf32.exe 35 PID 2476 wrote to memory of 2756 2476 Ccdlbf32.exe 35 PID 2476 wrote to memory of 2756 2476 Ccdlbf32.exe 35 PID 2476 wrote to memory of 2756 2476 Ccdlbf32.exe 35 PID 2756 wrote to memory of 2792 2756 Cllpkl32.exe 36 PID 2756 wrote to memory of 2792 2756 Cllpkl32.exe 36 PID 2756 wrote to memory of 2792 2756 Cllpkl32.exe 36 PID 2756 wrote to memory of 2792 2756 Cllpkl32.exe 36 PID 2792 wrote to memory of 1888 2792 Coklgg32.exe 37 PID 2792 wrote to memory of 1888 2792 Coklgg32.exe 37 PID 2792 wrote to memory of 1888 2792 Coklgg32.exe 37 PID 2792 wrote to memory of 1888 2792 Coklgg32.exe 37 PID 1888 wrote to memory of 1932 1888 Cjpqdp32.exe 38 PID 1888 wrote to memory of 1932 1888 Cjpqdp32.exe 38 PID 1888 wrote to memory of 1932 1888 Cjpqdp32.exe 38 PID 1888 wrote to memory of 1932 1888 Cjpqdp32.exe 38 PID 1932 wrote to memory of 1676 1932 Comimg32.exe 39 PID 1932 wrote to memory of 1676 1932 Comimg32.exe 39 PID 1932 wrote to memory of 1676 1932 Comimg32.exe 39 PID 1932 wrote to memory of 1676 1932 Comimg32.exe 39 PID 1676 wrote to memory of 1608 1676 Cfgaiaci.exe 40 PID 1676 wrote to memory of 1608 1676 Cfgaiaci.exe 40 PID 1676 wrote to memory of 1608 1676 Cfgaiaci.exe 40 PID 1676 wrote to memory of 1608 1676 Cfgaiaci.exe 40 PID 1608 wrote to memory of 2228 1608 Ckdjbh32.exe 41 PID 1608 wrote to memory of 2228 1608 Ckdjbh32.exe 41 PID 1608 wrote to memory of 2228 1608 Ckdjbh32.exe 41 PID 1608 wrote to memory of 2228 1608 Ckdjbh32.exe 41 PID 2228 wrote to memory of 1416 2228 Cbnbobin.exe 42 PID 2228 wrote to memory of 1416 2228 Cbnbobin.exe 42 PID 2228 wrote to memory of 1416 2228 Cbnbobin.exe 42 PID 2228 wrote to memory of 1416 2228 Cbnbobin.exe 42 PID 1416 wrote to memory of 816 1416 Cdlnkmha.exe 43 PID 1416 wrote to memory of 816 1416 Cdlnkmha.exe 43 PID 1416 wrote to memory of 816 1416 Cdlnkmha.exe 43 PID 1416 wrote to memory of 816 1416 Cdlnkmha.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05342398ea26d530d939c7dfd69d6090_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe33⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe34⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe36⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe38⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe39⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe40⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe41⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe43⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe44⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe47⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe49⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe51⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe52⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe54⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe55⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe57⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe60⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe61⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe63⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe65⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe68⤵PID:884
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe69⤵PID:1788
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe70⤵
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe71⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe72⤵PID:1864
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe74⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe75⤵PID:2976
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe76⤵PID:2516
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe77⤵PID:1596
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe78⤵PID:2788
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe79⤵PID:2172
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe80⤵PID:2928
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe81⤵PID:2408
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe82⤵PID:2276
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe83⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe84⤵PID:2076
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe85⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe86⤵PID:840
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe87⤵PID:1284
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe88⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe91⤵PID:2916
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe92⤵PID:2752
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe93⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe94⤵PID:1920
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe95⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe96⤵
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe97⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe98⤵PID:2648
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe100⤵PID:1312
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe101⤵PID:2032
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe102⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe106⤵
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe107⤵PID:1844
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe108⤵PID:2168
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe109⤵PID:1412
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe110⤵PID:2216
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe112⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe113⤵PID:1960
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe115⤵PID:2688
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe116⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe117⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe118⤵PID:2348
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe119⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe121⤵PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-