Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
-
Size
55KB
-
MD5
91dc1d25088a45b38eae9ab6a9ef4cd0
-
SHA1
052823ff61daba583334f15fd344c0ac0f1db94f
-
SHA256
4bc109a57e473a1af4a02185ca4c7609c170d61c6d36241e6016bc9331018662
-
SHA512
19cfa002674c2bfa7eaa1b8290567aa38619472cad4a69ea63b93421be856dd2541693eb7b3450dcad685260177107e64a8ecf6ea0c98c787c0925b44d62a10f
-
SSDEEP
768:kIMZ0Dx8m+nsYIimv6/9KA7voruPNwUDsFa3TBNEiHSAF0epMCJoj42p/1H54Xdh:NMCtsw6gAluUJ3UPAnz+U2LM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmcjehm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdkao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdfmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicgpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahojc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmbnkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghggc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2568 Faagpp32.exe 2684 Fjilieka.exe 3004 Fpfdalii.exe 2500 Fbdqmghm.exe 2472 Fioija32.exe 3008 Fphafl32.exe 1604 Fbgmbg32.exe 2780 Feeiob32.exe 2196 Gpknlk32.exe 1904 Gbijhg32.exe 1556 Gicbeald.exe 788 Glaoalkh.exe 1452 Gbkgnfbd.exe 2572 Gieojq32.exe 996 Ghhofmql.exe 2264 Gobgcg32.exe 1400 Ghkllmoi.exe 900 Glfhll32.exe 1696 Gacpdbej.exe 404 Geolea32.exe 3016 Ghmiam32.exe 1072 Ggpimica.exe 1300 Gaemjbcg.exe 2016 Gddifnbk.exe 2100 Hgbebiao.exe 1916 Hmlnoc32.exe 2312 Hcifgjgc.exe 2604 Hicodd32.exe 2844 Hdhbam32.exe 2752 Hckcmjep.exe 2588 Hlcgeo32.exe 2540 Hgilchkf.exe 1676 Hellne32.exe 1472 Hpapln32.exe 2820 Hacmcfge.exe 884 Hlhaqogk.exe 1772 Icbimi32.exe 1564 Ieqeidnl.exe 768 Ihoafpmp.exe 1248 Inljnfkg.exe 2268 Igdogl32.exe 1948 Ikpjgkjq.exe 2240 Iqmcpahh.exe 2868 Ihdkao32.exe 2432 Iggkllpe.exe 2988 Ikbgmj32.exe 1936 Ijgdngmf.exe 1960 Incpoe32.exe 1752 Imfqjbli.exe 1256 Icpigm32.exe 2760 Jjjacf32.exe 1528 Jnemdecl.exe 2628 Jmhmpb32.exe 2636 Jofiln32.exe 2404 Jgnamk32.exe 2920 Jjlnif32.exe 1596 Jiondcpk.exe 2712 Jmjjea32.exe 2180 Joifam32.exe 2140 Jcdbbloa.exe 1616 Jbgbni32.exe 1876 Jjojofgn.exe 2320 Jmmfkafa.exe 2032 Jkpgfn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 2568 Faagpp32.exe 2568 Faagpp32.exe 2684 Fjilieka.exe 2684 Fjilieka.exe 3004 Fpfdalii.exe 3004 Fpfdalii.exe 2500 Fbdqmghm.exe 2500 Fbdqmghm.exe 2472 Fioija32.exe 2472 Fioija32.exe 3008 Fphafl32.exe 3008 Fphafl32.exe 1604 Fbgmbg32.exe 1604 Fbgmbg32.exe 2780 Feeiob32.exe 2780 Feeiob32.exe 2196 Gpknlk32.exe 2196 Gpknlk32.exe 1904 Gbijhg32.exe 1904 Gbijhg32.exe 1556 Gicbeald.exe 1556 Gicbeald.exe 788 Glaoalkh.exe 788 Glaoalkh.exe 1452 Gbkgnfbd.exe 1452 Gbkgnfbd.exe 2572 Gieojq32.exe 2572 Gieojq32.exe 996 Ghhofmql.exe 996 Ghhofmql.exe 2264 Gobgcg32.exe 2264 Gobgcg32.exe 1400 Ghkllmoi.exe 1400 Ghkllmoi.exe 900 Glfhll32.exe 900 Glfhll32.exe 1696 Gacpdbej.exe 1696 Gacpdbej.exe 404 Geolea32.exe 404 Geolea32.exe 3016 Ghmiam32.exe 3016 Ghmiam32.exe 1072 Ggpimica.exe 1072 Ggpimica.exe 1300 Gaemjbcg.exe 1300 Gaemjbcg.exe 2016 Gddifnbk.exe 2016 Gddifnbk.exe 2100 Hgbebiao.exe 2100 Hgbebiao.exe 1916 Hmlnoc32.exe 1916 Hmlnoc32.exe 2312 Hcifgjgc.exe 2312 Hcifgjgc.exe 2604 Hicodd32.exe 2604 Hicodd32.exe 2844 Hdhbam32.exe 2844 Hdhbam32.exe 2752 Hckcmjep.exe 2752 Hckcmjep.exe 2588 Hlcgeo32.exe 2588 Hlcgeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lgahch32.dll 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kaceodek.exe File opened for modification C:\Windows\SysWOW64\Kngfih32.exe Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Mdkqqa32.exe Mmahdggc.exe File created C:\Windows\SysWOW64\Gfadgaio.dll Mhgmapfi.exe File created C:\Windows\SysWOW64\Meccii32.exe Mcegmm32.exe File created C:\Windows\SysWOW64\Fgefik32.dll Ojcecjee.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Ahikqd32.exe File created C:\Windows\SysWOW64\Bpooed32.dll Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Imfqjbli.exe File created C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Acmmle32.dll Ahdaee32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Mnghjbjl.dll Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Cjfccn32.exe Cghggc32.exe File created C:\Windows\SysWOW64\Ffpncj32.dll Eqdajkkb.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hmlnoc32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Ehkdaf32.dll Pnjdhmdo.exe File created C:\Windows\SysWOW64\Obmhdd32.dll Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Bekkcljk.exe Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dlkepi32.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dookgcij.exe File created C:\Windows\SysWOW64\Geofbffe.dll Kahojc32.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Ombapedi.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Fileil32.dll Djklnnaj.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Ijqnib32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Eppmppld.dll Mmhodf32.exe File created C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Eqijej32.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Icpigm32.exe Imfqjbli.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Fjilieka.exe File created C:\Windows\SysWOW64\Feocmm32.dll Jmmfkafa.exe File created C:\Windows\SysWOW64\Jooclokl.dll Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Dfffnn32.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Igdogl32.exe File opened for modification C:\Windows\SysWOW64\Kahojc32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Mbcjffka.dll Mkeimlfm.exe File created C:\Windows\SysWOW64\Heldepab.dll Obojhlbq.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Ajjcbpdd.exe Afohaa32.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ijgdngmf.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Dookgcij.exe Dggcffhg.exe File opened for modification C:\Windows\SysWOW64\Lemaif32.exe Lfjqnjkh.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Mgnfhlin.exe Mcbjgn32.exe File created C:\Windows\SysWOW64\Mijfnh32.exe Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Pedleg32.exe Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Pedleg32.exe Pqhpdhcc.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dfoqmo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4300 4280 WerFault.exe 370 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll" Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qabcjgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdaoinc.dll" Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhlblil.dll" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgiom32.dll" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnlic32.dll" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjacko32.dll" Kiccofna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbkkjih.dll" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlnif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokbpahm.dll" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnafl32.dll" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" Dfffnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpphap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopodh32.dll" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemejc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlhkl32.dll" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpjgkjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiaej32.dll" Bmkmdk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2568 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2568 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2568 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 28 PID 2556 wrote to memory of 2568 2556 91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe 28 PID 2568 wrote to memory of 2684 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2684 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2684 2568 Faagpp32.exe 29 PID 2568 wrote to memory of 2684 2568 Faagpp32.exe 29 PID 2684 wrote to memory of 3004 2684 Fjilieka.exe 30 PID 2684 wrote to memory of 3004 2684 Fjilieka.exe 30 PID 2684 wrote to memory of 3004 2684 Fjilieka.exe 30 PID 2684 wrote to memory of 3004 2684 Fjilieka.exe 30 PID 3004 wrote to memory of 2500 3004 Fpfdalii.exe 31 PID 3004 wrote to memory of 2500 3004 Fpfdalii.exe 31 PID 3004 wrote to memory of 2500 3004 Fpfdalii.exe 31 PID 3004 wrote to memory of 2500 3004 Fpfdalii.exe 31 PID 2500 wrote to memory of 2472 2500 Fbdqmghm.exe 32 PID 2500 wrote to memory of 2472 2500 Fbdqmghm.exe 32 PID 2500 wrote to memory of 2472 2500 Fbdqmghm.exe 32 PID 2500 wrote to memory of 2472 2500 Fbdqmghm.exe 32 PID 2472 wrote to memory of 3008 2472 Fioija32.exe 33 PID 2472 wrote to memory of 3008 2472 Fioija32.exe 33 PID 2472 wrote to memory of 3008 2472 Fioija32.exe 33 PID 2472 wrote to memory of 3008 2472 Fioija32.exe 33 PID 3008 wrote to memory of 1604 3008 Fphafl32.exe 34 PID 3008 wrote to memory of 1604 3008 Fphafl32.exe 34 PID 3008 wrote to memory of 1604 3008 Fphafl32.exe 34 PID 3008 wrote to memory of 1604 3008 Fphafl32.exe 34 PID 1604 wrote to memory of 2780 1604 Fbgmbg32.exe 35 PID 1604 wrote to memory of 2780 1604 Fbgmbg32.exe 35 PID 1604 wrote to memory of 2780 1604 Fbgmbg32.exe 35 PID 1604 wrote to memory of 2780 1604 Fbgmbg32.exe 35 PID 2780 wrote to memory of 2196 2780 Feeiob32.exe 36 PID 2780 wrote to memory of 2196 2780 Feeiob32.exe 36 PID 2780 wrote to memory of 2196 2780 Feeiob32.exe 36 PID 2780 wrote to memory of 2196 2780 Feeiob32.exe 36 PID 2196 wrote to memory of 1904 2196 Gpknlk32.exe 37 PID 2196 wrote to memory of 1904 2196 Gpknlk32.exe 37 PID 2196 wrote to memory of 1904 2196 Gpknlk32.exe 37 PID 2196 wrote to memory of 1904 2196 Gpknlk32.exe 37 PID 1904 wrote to memory of 1556 1904 Gbijhg32.exe 38 PID 1904 wrote to memory of 1556 1904 Gbijhg32.exe 38 PID 1904 wrote to memory of 1556 1904 Gbijhg32.exe 38 PID 1904 wrote to memory of 1556 1904 Gbijhg32.exe 38 PID 1556 wrote to memory of 788 1556 Gicbeald.exe 39 PID 1556 wrote to memory of 788 1556 Gicbeald.exe 39 PID 1556 wrote to memory of 788 1556 Gicbeald.exe 39 PID 1556 wrote to memory of 788 1556 Gicbeald.exe 39 PID 788 wrote to memory of 1452 788 Glaoalkh.exe 40 PID 788 wrote to memory of 1452 788 Glaoalkh.exe 40 PID 788 wrote to memory of 1452 788 Glaoalkh.exe 40 PID 788 wrote to memory of 1452 788 Glaoalkh.exe 40 PID 1452 wrote to memory of 2572 1452 Gbkgnfbd.exe 41 PID 1452 wrote to memory of 2572 1452 Gbkgnfbd.exe 41 PID 1452 wrote to memory of 2572 1452 Gbkgnfbd.exe 41 PID 1452 wrote to memory of 2572 1452 Gbkgnfbd.exe 41 PID 2572 wrote to memory of 996 2572 Gieojq32.exe 42 PID 2572 wrote to memory of 996 2572 Gieojq32.exe 42 PID 2572 wrote to memory of 996 2572 Gieojq32.exe 42 PID 2572 wrote to memory of 996 2572 Gieojq32.exe 42 PID 996 wrote to memory of 2264 996 Ghhofmql.exe 43 PID 996 wrote to memory of 2264 996 Ghhofmql.exe 43 PID 996 wrote to memory of 2264 996 Ghhofmql.exe 43 PID 996 wrote to memory of 2264 996 Ghhofmql.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe34⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe35⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe36⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe37⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe38⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe40⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe41⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe44⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe46⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe47⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe49⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe51⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe53⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe55⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe61⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe63⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe65⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe67⤵PID:1284
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe69⤵PID:2012
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe71⤵PID:2984
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe75⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe76⤵PID:1680
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe77⤵PID:2464
-
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe78⤵PID:2192
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe79⤵PID:1896
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe80⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe82⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe83⤵PID:2816
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe84⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe85⤵PID:948
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe87⤵PID:1632
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe88⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe89⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe90⤵PID:2912
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1164 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe95⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe96⤵PID:568
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe97⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe99⤵PID:944
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe100⤵PID:1540
-
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe101⤵PID:1160
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe104⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe105⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe106⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe107⤵PID:2204
-
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe108⤵PID:2184
-
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe109⤵PID:1420
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe110⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe112⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe115⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe116⤵PID:2672
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe117⤵PID:2480
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe118⤵PID:2376
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe119⤵PID:1568
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe120⤵PID:1944
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe121⤵
- Modifies registry class
PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-