Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe
-
Size
444KB
-
MD5
436c4e47b043342c2a862269dfb5f0c0
-
SHA1
35bb69fefaf03000261d88f708df4254967d6590
-
SHA256
485bce19d935cf6f4b5d974676fe63e8543e69faae42dd5af0be3aae9a4fe610
-
SHA512
d935e6286eaeaca682dc71aaa7f5018438c365d0026f5a9744887e8d4261f0dba6cf78f9e8db7d100d5432e5ac3e419ac12b05d1628cd368b74874f2ad4db222
-
SSDEEP
12288:/vwbWGRdA6sQhPbWGRdA6sQCkbWGRdA6sQhPbWGRdA6sQ:Xwvhv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijpnfif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcoqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpfqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faigdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igchlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpjlnhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmaaddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmaaddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figlolbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igchlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe -
Executes dropped EXE 64 IoCs
pid Process 2944 Gldkfl32.exe 2980 Gmgdddmq.exe 2628 Gddifnbk.exe 2284 Hgbebiao.exe 2444 Hiekid32.exe 2428 Hlcgeo32.exe 2120 Hobcak32.exe 2748 Hodpgjha.exe 1088 Hogmmjfo.exe 804 Ihdkao32.exe 1776 Iggkllpe.exe 680 Inqcif32.exe 2208 Idklfpon.exe 1524 Incpoe32.exe 2260 Iqalka32.exe 2788 Jicgpb32.exe 544 Jonplmcb.exe 412 Jfghif32.exe 2996 Jejhecaj.exe 1740 Joplbl32.exe 752 Jnclnihj.exe 1648 Kaaijdgn.exe 2508 Kgkafo32.exe 292 Kjjmbj32.exe 2196 Keoapb32.exe 1132 Kjljhjkl.exe 1688 Kcdnao32.exe 1704 Kgpjanje.exe 2620 Knjbnh32.exe 2976 Kjqccigf.exe 2632 Kmopod32.exe 2416 Kcihlong.exe 2692 Lldlqakb.exe 2852 Lckdanld.exe 816 Lbnemk32.exe 2596 Lihmjejl.exe 1976 Lmcijcbe.exe 2900 Lpbefoai.exe 2328 Lflmci32.exe 2244 Leonofpp.exe 1220 Lliflp32.exe 1480 Lpdbloof.exe 2288 Lbcnhjnj.exe 1792 Leajdfnm.exe 2992 Lhpfqama.exe 1816 Lojomkdn.exe 1640 Lahkigca.exe 844 Lecgje32.exe 2312 Lhbcfa32.exe 2180 Lkppbl32.exe 644 Ldidkbpb.exe 2680 Mhdplq32.exe 1804 Mkclhl32.exe 1668 Mhgmapfi.exe 2588 Mkeimlfm.exe 1496 Mmceigep.exe 2156 Maoajf32.exe 2696 Mdmmfa32.exe 2384 Mkgfckcj.exe 2212 Mijfnh32.exe 1060 Mlibjc32.exe 1092 Mpdnkb32.exe 1500 Mdpjlajk.exe 1016 Meagci32.exe -
Loads dropped DLL 64 IoCs
pid Process 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 2944 Gldkfl32.exe 2944 Gldkfl32.exe 2980 Gmgdddmq.exe 2980 Gmgdddmq.exe 2628 Gddifnbk.exe 2628 Gddifnbk.exe 2284 Hgbebiao.exe 2284 Hgbebiao.exe 2444 Hiekid32.exe 2444 Hiekid32.exe 2428 Hlcgeo32.exe 2428 Hlcgeo32.exe 2120 Hobcak32.exe 2120 Hobcak32.exe 2748 Hodpgjha.exe 2748 Hodpgjha.exe 1088 Hogmmjfo.exe 1088 Hogmmjfo.exe 804 Ihdkao32.exe 804 Ihdkao32.exe 1776 Iggkllpe.exe 1776 Iggkllpe.exe 680 Inqcif32.exe 680 Inqcif32.exe 2208 Idklfpon.exe 2208 Idklfpon.exe 1524 Incpoe32.exe 1524 Incpoe32.exe 2260 Iqalka32.exe 2260 Iqalka32.exe 2788 Jicgpb32.exe 2788 Jicgpb32.exe 544 Jonplmcb.exe 544 Jonplmcb.exe 412 Jfghif32.exe 412 Jfghif32.exe 2996 Jejhecaj.exe 2996 Jejhecaj.exe 1740 Joplbl32.exe 1740 Joplbl32.exe 752 Jnclnihj.exe 752 Jnclnihj.exe 1648 Kaaijdgn.exe 1648 Kaaijdgn.exe 2508 Kgkafo32.exe 2508 Kgkafo32.exe 292 Kjjmbj32.exe 292 Kjjmbj32.exe 2196 Keoapb32.exe 2196 Keoapb32.exe 1132 Kjljhjkl.exe 1132 Kjljhjkl.exe 1688 Kcdnao32.exe 1688 Kcdnao32.exe 1704 Kgpjanje.exe 1704 Kgpjanje.exe 2620 Knjbnh32.exe 2620 Knjbnh32.exe 2976 Kjqccigf.exe 2976 Kjqccigf.exe 2632 Kmopod32.exe 2632 Kmopod32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Amkoie32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iipgcaob.exe File created C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File created C:\Windows\SysWOW64\Hjkbhikj.dll Pikkiijf.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Coelaaoi.exe File opened for modification C:\Windows\SysWOW64\Gdjpeifj.exe Gpncej32.exe File created C:\Windows\SysWOW64\Cjnolikh.dll Bmclhi32.exe File created C:\Windows\SysWOW64\Fehofegb.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Ecqqpgli.exe Ednpej32.exe File created C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Jofbag32.exe Ikhjki32.exe File opened for modification C:\Windows\SysWOW64\Bpnbkeld.exe Blbfjg32.exe File created C:\Windows\SysWOW64\Effcma32.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Hhehek32.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Coelaaoi.exe File opened for modification C:\Windows\SysWOW64\Hojgfemq.exe Ghqnjk32.exe File created C:\Windows\SysWOW64\Giicle32.dll Hkaglf32.exe File created C:\Windows\SysWOW64\Bdlhejlj.dll Ikhjki32.exe File created C:\Windows\SysWOW64\Aaebnq32.dll Lgmcqkkh.exe File created C:\Windows\SysWOW64\Niebhf32.exe Nplmop32.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lihmjejl.exe File created C:\Windows\SysWOW64\Bbmfll32.dll Lhbcfa32.exe File created C:\Windows\SysWOW64\Meccii32.exe Mgqcmlgl.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bpiipf32.exe File created C:\Windows\SysWOW64\Jaqddb32.dll Enhacojl.exe File created C:\Windows\SysWOW64\Imehcohk.dll Edpmjj32.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jejhecaj.exe File created C:\Windows\SysWOW64\Lpbefoai.exe Lmcijcbe.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Nehmdhja.exe Ncjqhmkm.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Lihmjejl.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Dqehhb32.dll Mkclhl32.exe File created C:\Windows\SysWOW64\Efkdgmla.dll Abjebn32.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bdeeqehb.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Akbipbbd.dll Jfiale32.exe File created C:\Windows\SysWOW64\Gogcek32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Pbmnie32.dll Mkgfckcj.exe File created C:\Windows\SysWOW64\Eeopgmbf.dll Nncahjgl.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oopnlacm.exe File created C:\Windows\SysWOW64\Jicdaj32.dll Qmicohqm.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Nehmdhja.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ogeigofa.exe File created C:\Windows\SysWOW64\Ahlgfdeq.exe Adpkee32.exe File created C:\Windows\SysWOW64\Bqnfen32.dll Gbaileio.exe File created C:\Windows\SysWOW64\Jchhkjhn.exe Jbgkcb32.exe File opened for modification C:\Windows\SysWOW64\Lbiqfied.exe Liplnc32.exe File created C:\Windows\SysWOW64\Jhcfhi32.dll Lbiqfied.exe File created C:\Windows\SysWOW64\Nokeef32.dll Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Lckdanld.exe Lldlqakb.exe File created C:\Windows\SysWOW64\Fanjadqp.dll Qpgpkcpp.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Echfaf32.exe File opened for modification C:\Windows\SysWOW64\Hgjefg32.exe Heihnoph.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kjjmbj32.exe File created C:\Windows\SysWOW64\Kjqccigf.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4548 4504 WerFault.exe 431 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Leajdfnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndcpj32.dll" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjfjbdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liplnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdcpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjjpi32.dll" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfoak32.dll" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckdanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbhok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeidehe.dll" Nglfapnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiehea32.dll" Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogeigofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaqoq32.dll" Hanlnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpebiecm.dll" Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcmjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlfbi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2944 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2944 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2944 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 28 PID 1948 wrote to memory of 2944 1948 436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2980 2944 Gldkfl32.exe 29 PID 2944 wrote to memory of 2980 2944 Gldkfl32.exe 29 PID 2944 wrote to memory of 2980 2944 Gldkfl32.exe 29 PID 2944 wrote to memory of 2980 2944 Gldkfl32.exe 29 PID 2980 wrote to memory of 2628 2980 Gmgdddmq.exe 30 PID 2980 wrote to memory of 2628 2980 Gmgdddmq.exe 30 PID 2980 wrote to memory of 2628 2980 Gmgdddmq.exe 30 PID 2980 wrote to memory of 2628 2980 Gmgdddmq.exe 30 PID 2628 wrote to memory of 2284 2628 Gddifnbk.exe 31 PID 2628 wrote to memory of 2284 2628 Gddifnbk.exe 31 PID 2628 wrote to memory of 2284 2628 Gddifnbk.exe 31 PID 2628 wrote to memory of 2284 2628 Gddifnbk.exe 31 PID 2284 wrote to memory of 2444 2284 Hgbebiao.exe 32 PID 2284 wrote to memory of 2444 2284 Hgbebiao.exe 32 PID 2284 wrote to memory of 2444 2284 Hgbebiao.exe 32 PID 2284 wrote to memory of 2444 2284 Hgbebiao.exe 32 PID 2444 wrote to memory of 2428 2444 Hiekid32.exe 33 PID 2444 wrote to memory of 2428 2444 Hiekid32.exe 33 PID 2444 wrote to memory of 2428 2444 Hiekid32.exe 33 PID 2444 wrote to memory of 2428 2444 Hiekid32.exe 33 PID 2428 wrote to memory of 2120 2428 Hlcgeo32.exe 34 PID 2428 wrote to memory of 2120 2428 Hlcgeo32.exe 34 PID 2428 wrote to memory of 2120 2428 Hlcgeo32.exe 34 PID 2428 wrote to memory of 2120 2428 Hlcgeo32.exe 34 PID 2120 wrote to memory of 2748 2120 Hobcak32.exe 35 PID 2120 wrote to memory of 2748 2120 Hobcak32.exe 35 PID 2120 wrote to memory of 2748 2120 Hobcak32.exe 35 PID 2120 wrote to memory of 2748 2120 Hobcak32.exe 35 PID 2748 wrote to memory of 1088 2748 Hodpgjha.exe 36 PID 2748 wrote to memory of 1088 2748 Hodpgjha.exe 36 PID 2748 wrote to memory of 1088 2748 Hodpgjha.exe 36 PID 2748 wrote to memory of 1088 2748 Hodpgjha.exe 36 PID 1088 wrote to memory of 804 1088 Hogmmjfo.exe 37 PID 1088 wrote to memory of 804 1088 Hogmmjfo.exe 37 PID 1088 wrote to memory of 804 1088 Hogmmjfo.exe 37 PID 1088 wrote to memory of 804 1088 Hogmmjfo.exe 37 PID 804 wrote to memory of 1776 804 Ihdkao32.exe 38 PID 804 wrote to memory of 1776 804 Ihdkao32.exe 38 PID 804 wrote to memory of 1776 804 Ihdkao32.exe 38 PID 804 wrote to memory of 1776 804 Ihdkao32.exe 38 PID 1776 wrote to memory of 680 1776 Iggkllpe.exe 39 PID 1776 wrote to memory of 680 1776 Iggkllpe.exe 39 PID 1776 wrote to memory of 680 1776 Iggkllpe.exe 39 PID 1776 wrote to memory of 680 1776 Iggkllpe.exe 39 PID 680 wrote to memory of 2208 680 Inqcif32.exe 40 PID 680 wrote to memory of 2208 680 Inqcif32.exe 40 PID 680 wrote to memory of 2208 680 Inqcif32.exe 40 PID 680 wrote to memory of 2208 680 Inqcif32.exe 40 PID 2208 wrote to memory of 1524 2208 Idklfpon.exe 41 PID 2208 wrote to memory of 1524 2208 Idklfpon.exe 41 PID 2208 wrote to memory of 1524 2208 Idklfpon.exe 41 PID 2208 wrote to memory of 1524 2208 Idklfpon.exe 41 PID 1524 wrote to memory of 2260 1524 Incpoe32.exe 42 PID 1524 wrote to memory of 2260 1524 Incpoe32.exe 42 PID 1524 wrote to memory of 2260 1524 Incpoe32.exe 42 PID 1524 wrote to memory of 2260 1524 Incpoe32.exe 42 PID 2260 wrote to memory of 2788 2260 Iqalka32.exe 43 PID 2260 wrote to memory of 2788 2260 Iqalka32.exe 43 PID 2260 wrote to memory of 2788 2260 Iqalka32.exe 43 PID 2260 wrote to memory of 2788 2260 Iqalka32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\436c4e47b043342c2a862269dfb5f0c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe39⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe41⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe42⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe43⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe48⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe49⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe52⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe53⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe57⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe58⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe62⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe63⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe64⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe65⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe66⤵PID:3012
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe69⤵PID:1584
-
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe70⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe71⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe72⤵PID:3056
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe73⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe74⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe75⤵PID:1540
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe77⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe78⤵
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe79⤵PID:1560
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe80⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe82⤵PID:1720
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe84⤵PID:1764
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe85⤵PID:1680
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe86⤵PID:2456
-
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe87⤵PID:1344
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe88⤵PID:2116
-
C:\Windows\SysWOW64\Oqideepg.exeC:\Windows\system32\Oqideepg.exe89⤵PID:2576
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe90⤵PID:2448
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe91⤵PID:1236
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe92⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe95⤵PID:1760
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe96⤵
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe97⤵PID:1488
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe98⤵PID:896
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe100⤵PID:1992
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe101⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe102⤵PID:1504
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe103⤵PID:2240
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe104⤵PID:2040
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe105⤵PID:2672
-
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe107⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe108⤵PID:2088
-
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe109⤵PID:2232
-
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe110⤵PID:1608
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe111⤵PID:2152
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe112⤵PID:1336
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe113⤵PID:1856
-
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe114⤵PID:2860
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe117⤵PID:2316
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe118⤵PID:1604
-
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe120⤵PID:1904
-
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe121⤵
- Drops file in System32 directory
PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-