Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 00:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe
-
Size
96KB
-
MD5
40b8ace00a727d574059a57e183a1870
-
SHA1
5b07e67762f3d51df325f35f1223d9daea11020d
-
SHA256
880c6c6ec9fddb671e69ac13acb6377dab61522c33744173d8cc5da9e6610916
-
SHA512
35afdbbb05f91d1487ae37d1a8986fce6132d0518c2ceec20fc3948a3dfd208c5a7f22cf339761a7c2829e970e810c934fbbfbcc680ae0dd6136e5acd2983105
-
SSDEEP
1536:XEtfGDOkBOi75F2LyZS/FCb4noaJSNzJO/:XGf44yZSs4noakXO/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojcecjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nialog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdplq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nejiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmfkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 Baqbenep.exe 2540 Bcaomf32.exe 2644 Cgmkmecg.exe 2724 Ckignd32.exe 2804 Cngcjo32.exe 2448 Cpeofk32.exe 2908 Ccdlbf32.exe 2500 Cgpgce32.exe 2776 Cjndop32.exe 844 Cnippoha.exe 1504 Cphlljge.exe 1948 Coklgg32.exe 1984 Cgbdhd32.exe 1820 Cjpqdp32.exe 2128 Clomqk32.exe 2856 Cciemedf.exe 480 Cbkeib32.exe 1484 Cjbmjplb.exe 2916 Claifkkf.exe 956 Ckdjbh32.exe 2396 Copfbfjj.exe 1356 Cbnbobin.exe 2044 Chhjkl32.exe 940 Cndbcc32.exe 1824 Dbpodagk.exe 1652 Ddokpmfo.exe 2768 Dgmglh32.exe 2572 Dkhcmgnl.exe 2212 Dqelenlc.exe 2108 Dhmcfkme.exe 2764 Djnpnc32.exe 2000 Dnilobkm.exe 1932 Dbehoa32.exe 2232 Dcfdgiid.exe 1832 Djpmccqq.exe 320 Dnlidb32.exe 2292 Dqjepm32.exe 2180 Dfgmhd32.exe 800 Dmafennb.exe 3016 Dqlafm32.exe 628 Dcknbh32.exe 2800 Dfijnd32.exe 2340 Eqonkmdh.exe 2276 Epaogi32.exe 1976 Ebpkce32.exe 1304 Ejgcdb32.exe 2068 Emeopn32.exe 1240 Ekholjqg.exe 3008 Epdkli32.exe 2840 Ebbgid32.exe 3028 Eeqdep32.exe 2984 Eilpeooq.exe 2600 Ekklaj32.exe 2332 Epfhbign.exe 2464 Eecqjpee.exe 1920 Eiomkn32.exe 2940 Elmigj32.exe 1964 Epieghdk.exe 1032 Ebgacddo.exe 2024 Eajaoq32.exe 1116 Eiaiqn32.exe 2904 Egdilkbf.exe 360 Ejbfhfaj.exe 2392 Ennaieib.exe -
Loads dropped DLL 64 IoCs
pid Process 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 3040 Baqbenep.exe 3040 Baqbenep.exe 2540 Bcaomf32.exe 2540 Bcaomf32.exe 2644 Cgmkmecg.exe 2644 Cgmkmecg.exe 2724 Ckignd32.exe 2724 Ckignd32.exe 2804 Cngcjo32.exe 2804 Cngcjo32.exe 2448 Cpeofk32.exe 2448 Cpeofk32.exe 2908 Ccdlbf32.exe 2908 Ccdlbf32.exe 2500 Cgpgce32.exe 2500 Cgpgce32.exe 2776 Cjndop32.exe 2776 Cjndop32.exe 844 Cnippoha.exe 844 Cnippoha.exe 1504 Cphlljge.exe 1504 Cphlljge.exe 1948 Coklgg32.exe 1948 Coklgg32.exe 1984 Cgbdhd32.exe 1984 Cgbdhd32.exe 1820 Cjpqdp32.exe 1820 Cjpqdp32.exe 2128 Clomqk32.exe 2128 Clomqk32.exe 2856 Cciemedf.exe 2856 Cciemedf.exe 480 Cbkeib32.exe 480 Cbkeib32.exe 1484 Cjbmjplb.exe 1484 Cjbmjplb.exe 2916 Claifkkf.exe 2916 Claifkkf.exe 956 Ckdjbh32.exe 956 Ckdjbh32.exe 2396 Copfbfjj.exe 2396 Copfbfjj.exe 1356 Cbnbobin.exe 1356 Cbnbobin.exe 2044 Chhjkl32.exe 2044 Chhjkl32.exe 940 Cndbcc32.exe 940 Cndbcc32.exe 1824 Dbpodagk.exe 1824 Dbpodagk.exe 1652 Ddokpmfo.exe 1652 Ddokpmfo.exe 2768 Dgmglh32.exe 2768 Dgmglh32.exe 2572 Dkhcmgnl.exe 2572 Dkhcmgnl.exe 2212 Dqelenlc.exe 2212 Dqelenlc.exe 2108 Dhmcfkme.exe 2108 Dhmcfkme.exe 2764 Djnpnc32.exe 2764 Djnpnc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gokfbfnk.dll Nejiih32.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jmmfkafa.exe File created C:\Windows\SysWOW64\Goedqe32.dll Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Nolhan32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Chhjkl32.exe File opened for modification C:\Windows\SysWOW64\Gcmjhbal.dll Ealnephf.exe File created C:\Windows\SysWOW64\Ifcbodli.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Immfnjan.dll Kfgdhjmk.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cclkfdnc.exe File created C:\Windows\SysWOW64\Ollfnfje.dll Jqfffqpm.exe File opened for modification C:\Windows\SysWOW64\Nondgn32.exe Nkbhgojk.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pqkmjh32.exe File created C:\Windows\SysWOW64\Bfadgq32.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Iqmcpahh.exe File created C:\Windows\SysWOW64\Lemaif32.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Kijbioba.dll Dcadac32.exe File created C:\Windows\SysWOW64\Ekelld32.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Inegme32.dll Emnndlod.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Facklcaq.dll Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pamiog32.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Alnqqd32.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Fdilpjih.dll Efcfga32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File opened for modification C:\Windows\SysWOW64\Jfcnngnd.exe Jcdbbloa.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Oqkqkdne.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Efcfga32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Dkhcmgnl.exe Dgmglh32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File opened for modification C:\Windows\SysWOW64\Dfamcogo.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File opened for modification C:\Windows\SysWOW64\Cnaocmmi.exe Ckccgane.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dfdjhndl.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Moljch32.dll Aipddi32.exe File created C:\Windows\SysWOW64\Jfcnngnd.exe Jcdbbloa.exe File created C:\Windows\SysWOW64\Bgmefakc.dll Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File created C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Dbehoa32.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nnennj32.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cjndop32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Albjlcao.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hiekid32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6796 6764 WerFault.exe 640 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niaokh32.dll" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oceaboqg.dll" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpiddoma.dll" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egafleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Mpigfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcinmgng.dll" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akodpalp.dll" Kjnfniii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfekcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cghggc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmkcoqd.dll" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqijej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" Efaibbij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2944 wrote to memory of 3040 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 3040 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 3040 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 3040 2944 40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2540 3040 Baqbenep.exe 29 PID 3040 wrote to memory of 2540 3040 Baqbenep.exe 29 PID 3040 wrote to memory of 2540 3040 Baqbenep.exe 29 PID 3040 wrote to memory of 2540 3040 Baqbenep.exe 29 PID 2540 wrote to memory of 2644 2540 Bcaomf32.exe 30 PID 2540 wrote to memory of 2644 2540 Bcaomf32.exe 30 PID 2540 wrote to memory of 2644 2540 Bcaomf32.exe 30 PID 2540 wrote to memory of 2644 2540 Bcaomf32.exe 30 PID 2644 wrote to memory of 2724 2644 Cgmkmecg.exe 31 PID 2644 wrote to memory of 2724 2644 Cgmkmecg.exe 31 PID 2644 wrote to memory of 2724 2644 Cgmkmecg.exe 31 PID 2644 wrote to memory of 2724 2644 Cgmkmecg.exe 31 PID 2724 wrote to memory of 2804 2724 Ckignd32.exe 32 PID 2724 wrote to memory of 2804 2724 Ckignd32.exe 32 PID 2724 wrote to memory of 2804 2724 Ckignd32.exe 32 PID 2724 wrote to memory of 2804 2724 Ckignd32.exe 32 PID 2804 wrote to memory of 2448 2804 Cngcjo32.exe 33 PID 2804 wrote to memory of 2448 2804 Cngcjo32.exe 33 PID 2804 wrote to memory of 2448 2804 Cngcjo32.exe 33 PID 2804 wrote to memory of 2448 2804 Cngcjo32.exe 33 PID 2448 wrote to memory of 2908 2448 Cpeofk32.exe 34 PID 2448 wrote to memory of 2908 2448 Cpeofk32.exe 34 PID 2448 wrote to memory of 2908 2448 Cpeofk32.exe 34 PID 2448 wrote to memory of 2908 2448 Cpeofk32.exe 34 PID 2908 wrote to memory of 2500 2908 Ccdlbf32.exe 35 PID 2908 wrote to memory of 2500 2908 Ccdlbf32.exe 35 PID 2908 wrote to memory of 2500 2908 Ccdlbf32.exe 35 PID 2908 wrote to memory of 2500 2908 Ccdlbf32.exe 35 PID 2500 wrote to memory of 2776 2500 Cgpgce32.exe 36 PID 2500 wrote to memory of 2776 2500 Cgpgce32.exe 36 PID 2500 wrote to memory of 2776 2500 Cgpgce32.exe 36 PID 2500 wrote to memory of 2776 2500 Cgpgce32.exe 36 PID 2776 wrote to memory of 844 2776 Cjndop32.exe 37 PID 2776 wrote to memory of 844 2776 Cjndop32.exe 37 PID 2776 wrote to memory of 844 2776 Cjndop32.exe 37 PID 2776 wrote to memory of 844 2776 Cjndop32.exe 37 PID 844 wrote to memory of 1504 844 Cnippoha.exe 38 PID 844 wrote to memory of 1504 844 Cnippoha.exe 38 PID 844 wrote to memory of 1504 844 Cnippoha.exe 38 PID 844 wrote to memory of 1504 844 Cnippoha.exe 38 PID 1504 wrote to memory of 1948 1504 Cphlljge.exe 39 PID 1504 wrote to memory of 1948 1504 Cphlljge.exe 39 PID 1504 wrote to memory of 1948 1504 Cphlljge.exe 39 PID 1504 wrote to memory of 1948 1504 Cphlljge.exe 39 PID 1948 wrote to memory of 1984 1948 Coklgg32.exe 40 PID 1948 wrote to memory of 1984 1948 Coklgg32.exe 40 PID 1948 wrote to memory of 1984 1948 Coklgg32.exe 40 PID 1948 wrote to memory of 1984 1948 Coklgg32.exe 40 PID 1984 wrote to memory of 1820 1984 Cgbdhd32.exe 41 PID 1984 wrote to memory of 1820 1984 Cgbdhd32.exe 41 PID 1984 wrote to memory of 1820 1984 Cgbdhd32.exe 41 PID 1984 wrote to memory of 1820 1984 Cgbdhd32.exe 41 PID 1820 wrote to memory of 2128 1820 Cjpqdp32.exe 42 PID 1820 wrote to memory of 2128 1820 Cjpqdp32.exe 42 PID 1820 wrote to memory of 2128 1820 Cjpqdp32.exe 42 PID 1820 wrote to memory of 2128 1820 Cjpqdp32.exe 42 PID 2128 wrote to memory of 2856 2128 Clomqk32.exe 43 PID 2128 wrote to memory of 2856 2128 Clomqk32.exe 43 PID 2128 wrote to memory of 2856 2128 Clomqk32.exe 43 PID 2128 wrote to memory of 2856 2128 Clomqk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\40b8ace00a727d574059a57e183a1870_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:480 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe33⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe35⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe38⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe39⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe40⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe43⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe45⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe46⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe47⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe49⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe50⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe51⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe52⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe54⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe55⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe56⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe57⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe58⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe61⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe62⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe63⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe64⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe65⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe66⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe67⤵PID:860
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe68⤵PID:324
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe70⤵PID:1040
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe71⤵PID:2284
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe74⤵PID:1276
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe75⤵PID:2360
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe76⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe77⤵PID:2544
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe78⤵PID:1864
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe79⤵PID:2092
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe80⤵PID:664
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe81⤵PID:2428
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe82⤵PID:1236
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe83⤵PID:624
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe84⤵PID:1760
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe85⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe86⤵PID:2828
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe87⤵PID:2504
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe88⤵PID:2688
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe89⤵PID:2096
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe90⤵PID:380
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe91⤵PID:2252
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe92⤵PID:2424
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe93⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe94⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe95⤵PID:2744
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe96⤵PID:2192
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe97⤵PID:1960
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe98⤵PID:2980
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe100⤵PID:2728
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe101⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe102⤵PID:2508
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe103⤵PID:1664
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe104⤵PID:1704
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe105⤵PID:1136
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe106⤵PID:1556
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe107⤵PID:972
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe108⤵PID:1656
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe109⤵PID:1772
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe110⤵PID:1596
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe111⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe112⤵PID:640
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe113⤵PID:2976
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe114⤵PID:1668
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe115⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe116⤵PID:596
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe117⤵PID:1928
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe118⤵PID:2116
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe119⤵PID:2720
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe120⤵PID:1084
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe121⤵PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-