Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 20:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b55597e71d944d357f27861514df090_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1b55597e71d944d357f27861514df090_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1b55597e71d944d357f27861514df090_NeikiAnalytics.exe
-
Size
96KB
-
MD5
1b55597e71d944d357f27861514df090
-
SHA1
cbb49b6939b83865b3600d6fe983dc1cec3e4cc0
-
SHA256
0f620c0f597f851706b6656f10a66de71e461fb4ee4bd465d92636e547a1f793
-
SHA512
30e86425b3f8d16a51b99c431100cd48eead0fdb7f62f4ecdf8b02d8cb9d7170ad4846a7100c3aa3173ac3d0deea06bd16651999b1379de7299adcbfcf730765
-
SSDEEP
1536:k9SOMZ+W9jm2I5/+CNB4jWgHyoue7j8MvQ57IKVXbGwMduV9jojTIvjr:DZR9jmV/+0B4jWnouoBo58lnd69jc0v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimbdhhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgaqgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjpacfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopkmhjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecqqpgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefijfii.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 Paggai32.exe 2912 Pfdpip32.exe 2536 Plahag32.exe 2588 Pchpbded.exe 2704 Piehkkcl.exe 2488 Pmqdkj32.exe 2552 Ppoqge32.exe 1896 Pfiidobe.exe 1200 Phjelg32.exe 2004 Ppamme32.exe 2152 Pbpjiphi.exe 860 Qhmbagfa.exe 320 Qjknnbed.exe 2776 Qbbfopeg.exe 2052 Qeqbkkej.exe 536 Qljkhe32.exe 960 Qmlgonbe.exe 1804 Qagcpljo.exe 1128 Qecoqk32.exe 2828 Ankdiqih.exe 1148 Amndem32.exe 1124 Adhlaggp.exe 1816 Ajbdna32.exe 3040 Ampqjm32.exe 3044 Adjigg32.exe 2924 Afiecb32.exe 2796 Alenki32.exe 2440 Admemg32.exe 2548 Afkbib32.exe 2700 Aenbdoii.exe 2892 Afmonbqk.exe 2464 Ailkjmpo.exe 952 Bpfcgg32.exe 1996 Boiccdnf.exe 2000 Bebkpn32.exe 2036 Blmdlhmp.exe 2160 Bkodhe32.exe 1572 Bdhhqk32.exe 1872 Bhcdaibd.exe 2216 Bkaqmeah.exe 2136 Begeknan.exe 704 Bghabf32.exe 1020 Bopicc32.exe 3032 Bpafkknm.exe 1736 Bdlblj32.exe 1812 Bgknheej.exe 776 Bkfjhd32.exe 2244 Baqbenep.exe 2840 Bdooajdc.exe 2848 Bcaomf32.exe 2668 Ckignd32.exe 2604 Cngcjo32.exe 2476 Cpeofk32.exe 2672 Cdakgibq.exe 3004 Cgpgce32.exe 1920 Cnippoha.exe 1908 Cphlljge.exe 1856 Coklgg32.exe 1624 Cgbdhd32.exe 2068 Chcqpmep.exe 1428 Cpjiajeb.exe 2896 Comimg32.exe 400 Cciemedf.exe 1800 Cjbmjplb.exe -
Loads dropped DLL 64 IoCs
pid Process 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 2708 Paggai32.exe 2708 Paggai32.exe 2912 Pfdpip32.exe 2912 Pfdpip32.exe 2536 Plahag32.exe 2536 Plahag32.exe 2588 Pchpbded.exe 2588 Pchpbded.exe 2704 Piehkkcl.exe 2704 Piehkkcl.exe 2488 Pmqdkj32.exe 2488 Pmqdkj32.exe 2552 Ppoqge32.exe 2552 Ppoqge32.exe 1896 Pfiidobe.exe 1896 Pfiidobe.exe 1200 Phjelg32.exe 1200 Phjelg32.exe 2004 Ppamme32.exe 2004 Ppamme32.exe 2152 Pbpjiphi.exe 2152 Pbpjiphi.exe 860 Qhmbagfa.exe 860 Qhmbagfa.exe 320 Qjknnbed.exe 320 Qjknnbed.exe 2776 Qbbfopeg.exe 2776 Qbbfopeg.exe 2052 Qeqbkkej.exe 2052 Qeqbkkej.exe 536 Qljkhe32.exe 536 Qljkhe32.exe 960 Qmlgonbe.exe 960 Qmlgonbe.exe 1804 Qagcpljo.exe 1804 Qagcpljo.exe 1128 Qecoqk32.exe 1128 Qecoqk32.exe 2828 Ankdiqih.exe 2828 Ankdiqih.exe 1148 Amndem32.exe 1148 Amndem32.exe 1124 Adhlaggp.exe 1124 Adhlaggp.exe 1816 Ajbdna32.exe 1816 Ajbdna32.exe 3040 Ampqjm32.exe 3040 Ampqjm32.exe 3044 Adjigg32.exe 3044 Adjigg32.exe 2924 Afiecb32.exe 2924 Afiecb32.exe 2796 Alenki32.exe 2796 Alenki32.exe 2440 Admemg32.exe 2440 Admemg32.exe 2548 Afkbib32.exe 2548 Afkbib32.exe 2700 Aenbdoii.exe 2700 Aenbdoii.exe 2892 Afmonbqk.exe 2892 Afmonbqk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lefmambf.dll Dmoipopd.exe File created C:\Windows\SysWOW64\Oincig32.dll Mgnfhlin.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Pkndaa32.exe Piphee32.exe File created C:\Windows\SysWOW64\Kgiaak32.dll Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File created C:\Windows\SysWOW64\Nolcnd32.dll Ihdkao32.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Fjlhneio.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Efcfga32.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Jgnamk32.exe Jcbellac.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Nhfipcid.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Ampqjm32.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Enfenplo.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Fehjeo32.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Igdogl32.exe File created C:\Windows\SysWOW64\Dogefd32.exe Dliijipn.exe File created C:\Windows\SysWOW64\Kbjlonii.dll Kfbkmk32.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Ppamme32.exe File created C:\Windows\SysWOW64\Gknfklng.dll Hejoiedd.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Dqelenlc.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fdapak32.exe File created C:\Windows\SysWOW64\Mhgmapfi.exe Mdkqqa32.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File opened for modification C:\Windows\SysWOW64\Kcbakpdo.exe Keoapb32.exe File created C:\Windows\SysWOW64\Anafhopc.exe Ajejgp32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Ddokpmfo.exe File created C:\Windows\SysWOW64\Keoapb32.exe Kneicieh.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lpphap32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gopkmhjk.exe File created C:\Windows\SysWOW64\Kjjndgdk.dll Kihqkagp.exe File created C:\Windows\SysWOW64\Eeqdep32.exe Ecpgmhai.exe File created C:\Windows\SysWOW64\Hjbpkign.dll Jgnamk32.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pmdjdh32.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Doehqead.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Ofmbnkhg.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bblogakg.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bdlblj32.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Clcflkic.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Okikfagn.exe File created C:\Windows\SysWOW64\Kolpjf32.dll Pkndaa32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gkgkbipp.exe File opened for modification C:\Windows\SysWOW64\Mpbaebdd.exe Mihiih32.exe File created C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Edpmjj32.exe File created C:\Windows\SysWOW64\Pmdmeemc.dll Pmqdkj32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Cjdfmo32.exe File created C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Ccngld32.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lkncmmle.exe File created C:\Windows\SysWOW64\Amfidj32.dll Ecqqpgli.exe File created C:\Windows\SysWOW64\Jbjochdi.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bkommo32.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hhjhkq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6088 6004 WerFault.exe 547 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooahdmkl.dll" Bkfjhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfqed32.dll" Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolcnd32.dll" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjbkk32.dll" Lollckbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpicol32.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkdgmla.dll" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbknb.dll" Baqbenep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feocmm32.dll" Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgaecj.dll" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggkg32.dll" Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkebie32.dll" Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfojbj32.dll" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkommo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqopea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkqbaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heldepab.dll" Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkkalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Boqbfb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2708 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 28 PID 1364 wrote to memory of 2708 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 28 PID 1364 wrote to memory of 2708 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 28 PID 1364 wrote to memory of 2708 1364 1b55597e71d944d357f27861514df090_NeikiAnalytics.exe 28 PID 2708 wrote to memory of 2912 2708 Paggai32.exe 29 PID 2708 wrote to memory of 2912 2708 Paggai32.exe 29 PID 2708 wrote to memory of 2912 2708 Paggai32.exe 29 PID 2708 wrote to memory of 2912 2708 Paggai32.exe 29 PID 2912 wrote to memory of 2536 2912 Pfdpip32.exe 30 PID 2912 wrote to memory of 2536 2912 Pfdpip32.exe 30 PID 2912 wrote to memory of 2536 2912 Pfdpip32.exe 30 PID 2912 wrote to memory of 2536 2912 Pfdpip32.exe 30 PID 2536 wrote to memory of 2588 2536 Plahag32.exe 31 PID 2536 wrote to memory of 2588 2536 Plahag32.exe 31 PID 2536 wrote to memory of 2588 2536 Plahag32.exe 31 PID 2536 wrote to memory of 2588 2536 Plahag32.exe 31 PID 2588 wrote to memory of 2704 2588 Pchpbded.exe 32 PID 2588 wrote to memory of 2704 2588 Pchpbded.exe 32 PID 2588 wrote to memory of 2704 2588 Pchpbded.exe 32 PID 2588 wrote to memory of 2704 2588 Pchpbded.exe 32 PID 2704 wrote to memory of 2488 2704 Piehkkcl.exe 33 PID 2704 wrote to memory of 2488 2704 Piehkkcl.exe 33 PID 2704 wrote to memory of 2488 2704 Piehkkcl.exe 33 PID 2704 wrote to memory of 2488 2704 Piehkkcl.exe 33 PID 2488 wrote to memory of 2552 2488 Pmqdkj32.exe 34 PID 2488 wrote to memory of 2552 2488 Pmqdkj32.exe 34 PID 2488 wrote to memory of 2552 2488 Pmqdkj32.exe 34 PID 2488 wrote to memory of 2552 2488 Pmqdkj32.exe 34 PID 2552 wrote to memory of 1896 2552 Ppoqge32.exe 35 PID 2552 wrote to memory of 1896 2552 Ppoqge32.exe 35 PID 2552 wrote to memory of 1896 2552 Ppoqge32.exe 35 PID 2552 wrote to memory of 1896 2552 Ppoqge32.exe 35 PID 1896 wrote to memory of 1200 1896 Pfiidobe.exe 36 PID 1896 wrote to memory of 1200 1896 Pfiidobe.exe 36 PID 1896 wrote to memory of 1200 1896 Pfiidobe.exe 36 PID 1896 wrote to memory of 1200 1896 Pfiidobe.exe 36 PID 1200 wrote to memory of 2004 1200 Phjelg32.exe 37 PID 1200 wrote to memory of 2004 1200 Phjelg32.exe 37 PID 1200 wrote to memory of 2004 1200 Phjelg32.exe 37 PID 1200 wrote to memory of 2004 1200 Phjelg32.exe 37 PID 2004 wrote to memory of 2152 2004 Ppamme32.exe 38 PID 2004 wrote to memory of 2152 2004 Ppamme32.exe 38 PID 2004 wrote to memory of 2152 2004 Ppamme32.exe 38 PID 2004 wrote to memory of 2152 2004 Ppamme32.exe 38 PID 2152 wrote to memory of 860 2152 Pbpjiphi.exe 39 PID 2152 wrote to memory of 860 2152 Pbpjiphi.exe 39 PID 2152 wrote to memory of 860 2152 Pbpjiphi.exe 39 PID 2152 wrote to memory of 860 2152 Pbpjiphi.exe 39 PID 860 wrote to memory of 320 860 Qhmbagfa.exe 40 PID 860 wrote to memory of 320 860 Qhmbagfa.exe 40 PID 860 wrote to memory of 320 860 Qhmbagfa.exe 40 PID 860 wrote to memory of 320 860 Qhmbagfa.exe 40 PID 320 wrote to memory of 2776 320 Qjknnbed.exe 41 PID 320 wrote to memory of 2776 320 Qjknnbed.exe 41 PID 320 wrote to memory of 2776 320 Qjknnbed.exe 41 PID 320 wrote to memory of 2776 320 Qjknnbed.exe 41 PID 2776 wrote to memory of 2052 2776 Qbbfopeg.exe 42 PID 2776 wrote to memory of 2052 2776 Qbbfopeg.exe 42 PID 2776 wrote to memory of 2052 2776 Qbbfopeg.exe 42 PID 2776 wrote to memory of 2052 2776 Qbbfopeg.exe 42 PID 2052 wrote to memory of 536 2052 Qeqbkkej.exe 43 PID 2052 wrote to memory of 536 2052 Qeqbkkej.exe 43 PID 2052 wrote to memory of 536 2052 Qeqbkkej.exe 43 PID 2052 wrote to memory of 536 2052 Qeqbkkej.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b55597e71d944d357f27861514df090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1b55597e71d944d357f27861514df090_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe34⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe37⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe38⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe40⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe42⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe43⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe44⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe45⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe51⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe52⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe54⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe56⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe57⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe59⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe60⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe61⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1428 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe64⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe65⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe66⤵PID:2252
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe67⤵PID:936
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe68⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe69⤵PID:2412
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe70⤵PID:2976
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe71⤵PID:2916
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe72⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe73⤵PID:2472
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe75⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe77⤵PID:1756
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe78⤵PID:2756
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe79⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe83⤵PID:1964
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe84⤵PID:2168
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe85⤵PID:2544
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe87⤵PID:2596
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe88⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe90⤵PID:2408
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe91⤵PID:2260
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe92⤵PID:1472
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe93⤵
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe94⤵PID:2864
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe96⤵PID:708
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe97⤵PID:1104
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe98⤵PID:2852
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe99⤵PID:2656
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe101⤵PID:2624
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe102⤵PID:2508
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe103⤵PID:956
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe105⤵PID:784
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe106⤵PID:2120
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe107⤵PID:1456
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe108⤵PID:1956
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe109⤵PID:2300
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe110⤵PID:2868
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe111⤵PID:2676
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe112⤵PID:2040
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe113⤵PID:940
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe114⤵PID:1536
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe116⤵PID:1580
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe117⤵PID:2404
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe118⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe119⤵PID:1744
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-