Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe
-
Size
67KB
-
MD5
b5942676365fb2a6bd9345ee6a670920
-
SHA1
14c72e4945aacc2ddd0724bedbe1448823b18f29
-
SHA256
023cd1db5d72c5f8f9b64b8620ab326044b4a2b23a5041415a6f4a5076d480e7
-
SHA512
4319fe08d86e381ed6fb7d884e0edaeb612e360112430e90e921cc63bd429524261b45cfe2e0a701b844838a3ed4ec85f0ad2769d1345315d857eaed040eb16c
-
SSDEEP
1536:p1bpJ3jSl2Ba9xLIVFAlP2A6o9DtoZU7RQzdR/Rj:pdzSlEyhIVmJ21oZtRezdVx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbfabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iblpjdpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlgfdeq.exe -
Executes dropped EXE 64 IoCs
pid Process 2372 Pbpjiphi.exe 2648 Qlhnbf32.exe 2768 Qaefjm32.exe 2564 Qhooggdn.exe 2580 Qjmkcbcb.exe 2560 Ahakmf32.exe 2604 Ankdiqih.exe 2792 Aplpai32.exe 2912 Ahchbf32.exe 1068 Ampqjm32.exe 1516 Apomfh32.exe 1896 Afiecb32.exe 2616 Ajdadamj.exe 1764 Alenki32.exe 1284 Admemg32.exe 3012 Aiinen32.exe 668 Alhjai32.exe 720 Abbbnchb.exe 2080 Aepojo32.exe 1140 Ahokfj32.exe 2524 Aljgfioc.exe 2036 Boiccdnf.exe 1660 Bagpopmj.exe 844 Bingpmnl.exe 2256 Bkodhe32.exe 3048 Bbflib32.exe 1568 Bhcdaibd.exe 1236 Balijo32.exe 2780 Begeknan.exe 2752 Bdjefj32.exe 2900 Bkdmcdoe.exe 2608 Bpafkknm.exe 2600 Bhhnli32.exe 2320 Bgknheej.exe 2816 Baqbenep.exe 2944 Cgmkmecg.exe 2972 Cngcjo32.exe 272 Cljcelan.exe 1728 Cgpgce32.exe 288 Cfbhnaho.exe 2516 Coklgg32.exe 1288 Comimg32.exe 2068 Cbkeib32.exe 684 Cfgaiaci.exe 1604 Ckdjbh32.exe 1952 Cckace32.exe 2376 Cdlnkmha.exe 2008 Chhjkl32.exe 2000 Cobbhfhg.exe 748 Dflkdp32.exe 1304 Dgmglh32.exe 3040 Dodonf32.exe 2304 Ddagfm32.exe 1256 Dgodbh32.exe 2676 Dkkpbgli.exe 2696 Djnpnc32.exe 2620 Dbehoa32.exe 864 Dqhhknjp.exe 2924 Dcfdgiid.exe 2964 Dkmmhf32.exe 2004 Djpmccqq.exe 2820 Dqjepm32.exe 344 Dchali32.exe 2268 Dgdmmgpj.exe -
Loads dropped DLL 64 IoCs
pid Process 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 2372 Pbpjiphi.exe 2372 Pbpjiphi.exe 2648 Qlhnbf32.exe 2648 Qlhnbf32.exe 2768 Qaefjm32.exe 2768 Qaefjm32.exe 2564 Qhooggdn.exe 2564 Qhooggdn.exe 2580 Qjmkcbcb.exe 2580 Qjmkcbcb.exe 2560 Ahakmf32.exe 2560 Ahakmf32.exe 2604 Ankdiqih.exe 2604 Ankdiqih.exe 2792 Aplpai32.exe 2792 Aplpai32.exe 2912 Ahchbf32.exe 2912 Ahchbf32.exe 1068 Ampqjm32.exe 1068 Ampqjm32.exe 1516 Apomfh32.exe 1516 Apomfh32.exe 1896 Afiecb32.exe 1896 Afiecb32.exe 2616 Ajdadamj.exe 2616 Ajdadamj.exe 1764 Alenki32.exe 1764 Alenki32.exe 1284 Admemg32.exe 1284 Admemg32.exe 3012 Aiinen32.exe 3012 Aiinen32.exe 668 Alhjai32.exe 668 Alhjai32.exe 720 Abbbnchb.exe 720 Abbbnchb.exe 2080 Aepojo32.exe 2080 Aepojo32.exe 1140 Ahokfj32.exe 1140 Ahokfj32.exe 2524 Aljgfioc.exe 2524 Aljgfioc.exe 2036 Boiccdnf.exe 2036 Boiccdnf.exe 1660 Bagpopmj.exe 1660 Bagpopmj.exe 844 Bingpmnl.exe 844 Bingpmnl.exe 2256 Bkodhe32.exe 2256 Bkodhe32.exe 3048 Bbflib32.exe 3048 Bbflib32.exe 1568 Bhcdaibd.exe 1568 Bhcdaibd.exe 1236 Balijo32.exe 1236 Balijo32.exe 2780 Begeknan.exe 2780 Begeknan.exe 2752 Bdjefj32.exe 2752 Bdjefj32.exe 2900 Bkdmcdoe.exe 2900 Bkdmcdoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dchfknpg.dll Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Ifnechbj.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Jneohcll.dll Anccmo32.exe File created C:\Windows\SysWOW64\Midahn32.dll Eajaoq32.exe File opened for modification C:\Windows\SysWOW64\Gkihhhnm.exe Glfhll32.exe File created C:\Windows\SysWOW64\Djmccf32.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Jfjoqjhi.dll Lbcnhjnj.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Mcbjgn32.exe File opened for modification C:\Windows\SysWOW64\Oopnlacm.exe Oqmmpd32.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Loinmo32.dll Cghggc32.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File created C:\Windows\SysWOW64\Ebgacddo.exe Elmigj32.exe File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Fmhheqje.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Mgljbm32.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Aagancdj.dll Llfifq32.exe File created C:\Windows\SysWOW64\Plnoej32.dll Dlgldibq.exe File created C:\Windows\SysWOW64\Afiecb32.exe Apomfh32.exe File created C:\Windows\SysWOW64\Abbbnchb.exe Alhjai32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Ebgacddo.exe File created C:\Windows\SysWOW64\Miikgeea.dll Nhkbkc32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Echfaf32.exe File created C:\Windows\SysWOW64\Kkjjld32.dll Pbpjiphi.exe File created C:\Windows\SysWOW64\Keledb32.dll Cdlnkmha.exe File created C:\Windows\SysWOW64\Epgnljad.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Ooeggp32.exe Okikfagn.exe File created C:\Windows\SysWOW64\Pfjbgnme.exe Pclfkc32.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File opened for modification C:\Windows\SysWOW64\Chnqkg32.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Efppoc32.exe File created C:\Windows\SysWOW64\Jcgogk32.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Kkgmgmfd.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kneicieh.exe File created C:\Windows\SysWOW64\Nondgn32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Nkeelohh.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Omdneebf.exe File opened for modification C:\Windows\SysWOW64\Dhbfdjdp.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Ghkdol32.dll Cbkeib32.exe File created C:\Windows\SysWOW64\Pfdjfphi.dll Lbnemk32.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Ojahnj32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Bgmlpbdc.dll Pnjdhmdo.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Afcenm32.exe Anlmmp32.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hpkjko32.exe File opened for modification C:\Windows\SysWOW64\Mhbped32.exe Meccii32.exe File created C:\Windows\SysWOW64\Hgggfhdc.dll Okgnab32.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jmhmpb32.exe File created C:\Windows\SysWOW64\Kaaijdgn.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Kgbggnhc.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Mncnkh32.dll Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Kkijmm32.exe Kgnnln32.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Kcdnao32.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qimhoi32.exe File opened for modification C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Gjlegpjp.dll Ncgdbmmp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5496 5460 WerFault.exe 501 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" Dnneja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfommp32.dll" Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqaac32.dll" Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfjbgnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhde32.dll" Qmfgjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pbhmnkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpleef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kemejc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmdjdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Eqdajkkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiqoh32.dll" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" Nkgbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmngmj32.dll" Jnclnihj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amfcikek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" Dkcofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfmihf.dll" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahel32.dll" Aiinen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fehjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pienahqb.dll" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpkjko32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2372 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2372 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2372 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2372 2228 b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2648 2372 Pbpjiphi.exe 29 PID 2372 wrote to memory of 2648 2372 Pbpjiphi.exe 29 PID 2372 wrote to memory of 2648 2372 Pbpjiphi.exe 29 PID 2372 wrote to memory of 2648 2372 Pbpjiphi.exe 29 PID 2648 wrote to memory of 2768 2648 Qlhnbf32.exe 30 PID 2648 wrote to memory of 2768 2648 Qlhnbf32.exe 30 PID 2648 wrote to memory of 2768 2648 Qlhnbf32.exe 30 PID 2648 wrote to memory of 2768 2648 Qlhnbf32.exe 30 PID 2768 wrote to memory of 2564 2768 Qaefjm32.exe 31 PID 2768 wrote to memory of 2564 2768 Qaefjm32.exe 31 PID 2768 wrote to memory of 2564 2768 Qaefjm32.exe 31 PID 2768 wrote to memory of 2564 2768 Qaefjm32.exe 31 PID 2564 wrote to memory of 2580 2564 Qhooggdn.exe 32 PID 2564 wrote to memory of 2580 2564 Qhooggdn.exe 32 PID 2564 wrote to memory of 2580 2564 Qhooggdn.exe 32 PID 2564 wrote to memory of 2580 2564 Qhooggdn.exe 32 PID 2580 wrote to memory of 2560 2580 Qjmkcbcb.exe 33 PID 2580 wrote to memory of 2560 2580 Qjmkcbcb.exe 33 PID 2580 wrote to memory of 2560 2580 Qjmkcbcb.exe 33 PID 2580 wrote to memory of 2560 2580 Qjmkcbcb.exe 33 PID 2560 wrote to memory of 2604 2560 Ahakmf32.exe 34 PID 2560 wrote to memory of 2604 2560 Ahakmf32.exe 34 PID 2560 wrote to memory of 2604 2560 Ahakmf32.exe 34 PID 2560 wrote to memory of 2604 2560 Ahakmf32.exe 34 PID 2604 wrote to memory of 2792 2604 Ankdiqih.exe 35 PID 2604 wrote to memory of 2792 2604 Ankdiqih.exe 35 PID 2604 wrote to memory of 2792 2604 Ankdiqih.exe 35 PID 2604 wrote to memory of 2792 2604 Ankdiqih.exe 35 PID 2792 wrote to memory of 2912 2792 Aplpai32.exe 36 PID 2792 wrote to memory of 2912 2792 Aplpai32.exe 36 PID 2792 wrote to memory of 2912 2792 Aplpai32.exe 36 PID 2792 wrote to memory of 2912 2792 Aplpai32.exe 36 PID 2912 wrote to memory of 1068 2912 Ahchbf32.exe 37 PID 2912 wrote to memory of 1068 2912 Ahchbf32.exe 37 PID 2912 wrote to memory of 1068 2912 Ahchbf32.exe 37 PID 2912 wrote to memory of 1068 2912 Ahchbf32.exe 37 PID 1068 wrote to memory of 1516 1068 Ampqjm32.exe 38 PID 1068 wrote to memory of 1516 1068 Ampqjm32.exe 38 PID 1068 wrote to memory of 1516 1068 Ampqjm32.exe 38 PID 1068 wrote to memory of 1516 1068 Ampqjm32.exe 38 PID 1516 wrote to memory of 1896 1516 Apomfh32.exe 39 PID 1516 wrote to memory of 1896 1516 Apomfh32.exe 39 PID 1516 wrote to memory of 1896 1516 Apomfh32.exe 39 PID 1516 wrote to memory of 1896 1516 Apomfh32.exe 39 PID 1896 wrote to memory of 2616 1896 Afiecb32.exe 40 PID 1896 wrote to memory of 2616 1896 Afiecb32.exe 40 PID 1896 wrote to memory of 2616 1896 Afiecb32.exe 40 PID 1896 wrote to memory of 2616 1896 Afiecb32.exe 40 PID 2616 wrote to memory of 1764 2616 Ajdadamj.exe 41 PID 2616 wrote to memory of 1764 2616 Ajdadamj.exe 41 PID 2616 wrote to memory of 1764 2616 Ajdadamj.exe 41 PID 2616 wrote to memory of 1764 2616 Ajdadamj.exe 41 PID 1764 wrote to memory of 1284 1764 Alenki32.exe 42 PID 1764 wrote to memory of 1284 1764 Alenki32.exe 42 PID 1764 wrote to memory of 1284 1764 Alenki32.exe 42 PID 1764 wrote to memory of 1284 1764 Alenki32.exe 42 PID 1284 wrote to memory of 3012 1284 Admemg32.exe 43 PID 1284 wrote to memory of 3012 1284 Admemg32.exe 43 PID 1284 wrote to memory of 3012 1284 Admemg32.exe 43 PID 1284 wrote to memory of 3012 1284 Admemg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b5942676365fb2a6bd9345ee6a670920_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:720 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe33⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe38⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe39⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe40⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe41⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe43⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe47⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe49⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe50⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe51⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe52⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe53⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe54⤵PID:1344
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe55⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe56⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe57⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe60⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe62⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe64⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe65⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe66⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe67⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe68⤵PID:536
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe69⤵PID:1308
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe70⤵PID:828
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe71⤵PID:2432
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe72⤵PID:2392
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe73⤵PID:2300
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe74⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe75⤵PID:2688
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe76⤵PID:2708
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe77⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe78⤵PID:1212
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe79⤵PID:2892
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe80⤵PID:1696
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe82⤵PID:804
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe83⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe84⤵PID:1340
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe85⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe86⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe87⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe88⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe89⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe90⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe91⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe92⤵PID:2808
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe96⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe97⤵PID:2536
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe98⤵PID:1032
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe100⤵PID:1100
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe101⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe102⤵PID:268
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe103⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe104⤵PID:2364
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe106⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe107⤵PID:2812
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe108⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe109⤵PID:1892
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe110⤵PID:1620
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe111⤵PID:2332
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe112⤵PID:3004
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe113⤵PID:308
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe114⤵PID:1532
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:280 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe116⤵PID:1208
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe118⤵PID:2940
-
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe119⤵PID:2772
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe120⤵PID:2868
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe121⤵PID:356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-