Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe
-
Size
56KB
-
MD5
ac86091473a85852a4f137fd63545d40
-
SHA1
6ce143745115e2d57c620899a702a0759fdfc955
-
SHA256
c5dac20ba204809ff98914f3cff23edbd8d87316e48a56932e95e27ac2e9439d
-
SHA512
aa91f9e14fdceac5d3ff640e4616411e8068c6d87f1d794a9ec829af2a2cee9b17bcf23e60d7843bdf84d538902468a3f1e27b8827c8a9a91bc7b1488b92b8fd
-
SSDEEP
768:+fygDK6VBSY+he/EZaJUC6cCl87Qmo8GvWzWvJHCL1VlnUlNFGITf2/1H5RXdnh:+fyIVM3tJC6tOQmSIEJ67lnU348fsh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkpbgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbcln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqideepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkdgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe -
Executes dropped EXE 64 IoCs
pid Process 2676 Piehkkcl.exe 2556 Ppoqge32.exe 2488 Pnbacbac.exe 2728 Pfiidobe.exe 2352 Pigeqkai.exe 2848 Phjelg32.exe 1456 Ppamme32.exe 2624 Pbpjiphi.exe 2712 Penfelgm.exe 1840 Qhmbagfa.exe 1628 Qjknnbed.exe 808 Qbbfopeg.exe 1188 Qeqbkkej.exe 2724 Qdccfh32.exe 2452 Qjmkcbcb.exe 876 Qagcpljo.exe 700 Qecoqk32.exe 1876 Ahakmf32.exe 1576 Afdlhchf.exe 2636 Amndem32.exe 1712 Aplpai32.exe 1744 Ahchbf32.exe 920 Affhncfc.exe 2044 Ajbdna32.exe 2120 Aalmklfi.exe 1640 Adjigg32.exe 3064 Ajdadamj.exe 2648 Ambmpmln.exe 2396 Alenki32.exe 1148 Apajlhka.exe 2520 Afkbib32.exe 2348 Aiinen32.exe 1620 Aoffmd32.exe 2840 Abbbnchb.exe 1496 Aepojo32.exe 328 Ahokfj32.exe 1780 Aljgfioc.exe 1796 Bpfcgg32.exe 1192 Boiccdnf.exe 1436 Bagpopmj.exe 856 Bingpmnl.exe 2852 Bhahlj32.exe 1684 Blmdlhmp.exe 672 Bkodhe32.exe 1228 Bdhhqk32.exe 2696 Bhcdaibd.exe 760 Bkaqmeah.exe 2932 Bnpmipql.exe 2292 Balijo32.exe 2920 Bdjefj32.exe 2944 Bhfagipa.exe 2936 Bghabf32.exe 2880 Bkdmcdoe.exe 2552 Bopicc32.exe 2844 Banepo32.exe 1040 Bpafkknm.exe 1932 Bhhnli32.exe 2388 Bgknheej.exe 2628 Bkfjhd32.exe 1464 Bjijdadm.exe 2492 Bjijdadm.exe 2068 Bnefdp32.exe 2328 Baqbenep.exe 2256 Bpcbqk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 2676 Piehkkcl.exe 2676 Piehkkcl.exe 2556 Ppoqge32.exe 2556 Ppoqge32.exe 2488 Pnbacbac.exe 2488 Pnbacbac.exe 2728 Pfiidobe.exe 2728 Pfiidobe.exe 2352 Pigeqkai.exe 2352 Pigeqkai.exe 2848 Phjelg32.exe 2848 Phjelg32.exe 1456 Ppamme32.exe 1456 Ppamme32.exe 2624 Pbpjiphi.exe 2624 Pbpjiphi.exe 2712 Penfelgm.exe 2712 Penfelgm.exe 1840 Qhmbagfa.exe 1840 Qhmbagfa.exe 1628 Qjknnbed.exe 1628 Qjknnbed.exe 808 Qbbfopeg.exe 808 Qbbfopeg.exe 1188 Qeqbkkej.exe 1188 Qeqbkkej.exe 2724 Qdccfh32.exe 2724 Qdccfh32.exe 2452 Qjmkcbcb.exe 2452 Qjmkcbcb.exe 876 Qagcpljo.exe 876 Qagcpljo.exe 700 Qecoqk32.exe 700 Qecoqk32.exe 1876 Ahakmf32.exe 1876 Ahakmf32.exe 1576 Afdlhchf.exe 1576 Afdlhchf.exe 2636 Amndem32.exe 2636 Amndem32.exe 1712 Aplpai32.exe 1712 Aplpai32.exe 1744 Ahchbf32.exe 1744 Ahchbf32.exe 920 Affhncfc.exe 920 Affhncfc.exe 2044 Ajbdna32.exe 2044 Ajbdna32.exe 2120 Aalmklfi.exe 2120 Aalmklfi.exe 1640 Adjigg32.exe 1640 Adjigg32.exe 3064 Ajdadamj.exe 3064 Ajdadamj.exe 2648 Ambmpmln.exe 2648 Ambmpmln.exe 2396 Alenki32.exe 2396 Alenki32.exe 1148 Apajlhka.exe 1148 Apajlhka.exe 2520 Afkbib32.exe 2520 Afkbib32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Ikbgmj32.exe Iggkllpe.exe File created C:\Windows\SysWOW64\Ajdadamj.exe Adjigg32.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Gelppaof.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Gclcefmh.dll Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Eiehea32.dll Iqopea32.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe Egoife32.exe File created C:\Windows\SysWOW64\Odbkcj32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bhfagipa.exe File created C:\Windows\SysWOW64\Hfmpcjge.dll Bjijdadm.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Iqopea32.exe Iblpjdpk.exe File created C:\Windows\SysWOW64\Afldcl32.dll Kihqkagp.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Cjdfmo32.exe Cgejac32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Omeope32.dll Chhjkl32.exe File created C:\Windows\SysWOW64\Gpmcnehn.dll Idmhkpml.exe File created C:\Windows\SysWOW64\Igkdgk32.exe Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Pnomcl32.exe Pjcabmga.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Qpgpkcpp.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Comimg32.exe Cpjiajeb.exe File created C:\Windows\SysWOW64\Gmjaic32.exe Gogangdc.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hhmepp32.exe File created C:\Windows\SysWOW64\Bahbme32.dll Joifam32.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kcbakpdo.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mdpjlajk.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Djmicm32.exe File opened for modification C:\Windows\SysWOW64\Cljcelan.exe Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Dkkpbgli.exe Dgodbh32.exe File opened for modification C:\Windows\SysWOW64\Dqlafm32.exe Dmafennb.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bafidiio.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Bkdmcdoe.exe Bghabf32.exe File created C:\Windows\SysWOW64\Ndpfkdmf.exe Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Odobjg32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Jkbcln32.exe Jmocpado.exe File created C:\Windows\SysWOW64\Mhbped32.exe Miooigfo.exe File opened for modification C:\Windows\SysWOW64\Bioqclil.exe Bfadgq32.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Ajdadamj.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kiccofna.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Najdnj32.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File created C:\Windows\SysWOW64\Pjcabmga.exe Pciifc32.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Igkdgk32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Clomqk32.exe File created C:\Windows\SysWOW64\Cndbcc32.exe Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mamddf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6124 6088 WerFault.exe 531 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnnqb32.dll" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodppf32.dll" Penfelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnlic32.dll" Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiejdkkn.dll" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaplbi32.dll" Pqhpdhcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddnkjk.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jonplmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjqhmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnlidb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlcgibn.dll" Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdipg32.dll" Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Bhkdeggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jfekcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmpfjke.dll" Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckccgane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahbme32.dll" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll" Fdoclk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2676 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2676 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2676 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2676 1724 ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe 28 PID 2676 wrote to memory of 2556 2676 Piehkkcl.exe 29 PID 2676 wrote to memory of 2556 2676 Piehkkcl.exe 29 PID 2676 wrote to memory of 2556 2676 Piehkkcl.exe 29 PID 2676 wrote to memory of 2556 2676 Piehkkcl.exe 29 PID 2556 wrote to memory of 2488 2556 Ppoqge32.exe 30 PID 2556 wrote to memory of 2488 2556 Ppoqge32.exe 30 PID 2556 wrote to memory of 2488 2556 Ppoqge32.exe 30 PID 2556 wrote to memory of 2488 2556 Ppoqge32.exe 30 PID 2488 wrote to memory of 2728 2488 Pnbacbac.exe 31 PID 2488 wrote to memory of 2728 2488 Pnbacbac.exe 31 PID 2488 wrote to memory of 2728 2488 Pnbacbac.exe 31 PID 2488 wrote to memory of 2728 2488 Pnbacbac.exe 31 PID 2728 wrote to memory of 2352 2728 Pfiidobe.exe 32 PID 2728 wrote to memory of 2352 2728 Pfiidobe.exe 32 PID 2728 wrote to memory of 2352 2728 Pfiidobe.exe 32 PID 2728 wrote to memory of 2352 2728 Pfiidobe.exe 32 PID 2352 wrote to memory of 2848 2352 Pigeqkai.exe 33 PID 2352 wrote to memory of 2848 2352 Pigeqkai.exe 33 PID 2352 wrote to memory of 2848 2352 Pigeqkai.exe 33 PID 2352 wrote to memory of 2848 2352 Pigeqkai.exe 33 PID 2848 wrote to memory of 1456 2848 Phjelg32.exe 34 PID 2848 wrote to memory of 1456 2848 Phjelg32.exe 34 PID 2848 wrote to memory of 1456 2848 Phjelg32.exe 34 PID 2848 wrote to memory of 1456 2848 Phjelg32.exe 34 PID 1456 wrote to memory of 2624 1456 Ppamme32.exe 35 PID 1456 wrote to memory of 2624 1456 Ppamme32.exe 35 PID 1456 wrote to memory of 2624 1456 Ppamme32.exe 35 PID 1456 wrote to memory of 2624 1456 Ppamme32.exe 35 PID 2624 wrote to memory of 2712 2624 Pbpjiphi.exe 36 PID 2624 wrote to memory of 2712 2624 Pbpjiphi.exe 36 PID 2624 wrote to memory of 2712 2624 Pbpjiphi.exe 36 PID 2624 wrote to memory of 2712 2624 Pbpjiphi.exe 36 PID 2712 wrote to memory of 1840 2712 Penfelgm.exe 37 PID 2712 wrote to memory of 1840 2712 Penfelgm.exe 37 PID 2712 wrote to memory of 1840 2712 Penfelgm.exe 37 PID 2712 wrote to memory of 1840 2712 Penfelgm.exe 37 PID 1840 wrote to memory of 1628 1840 Qhmbagfa.exe 38 PID 1840 wrote to memory of 1628 1840 Qhmbagfa.exe 38 PID 1840 wrote to memory of 1628 1840 Qhmbagfa.exe 38 PID 1840 wrote to memory of 1628 1840 Qhmbagfa.exe 38 PID 1628 wrote to memory of 808 1628 Qjknnbed.exe 39 PID 1628 wrote to memory of 808 1628 Qjknnbed.exe 39 PID 1628 wrote to memory of 808 1628 Qjknnbed.exe 39 PID 1628 wrote to memory of 808 1628 Qjknnbed.exe 39 PID 808 wrote to memory of 1188 808 Qbbfopeg.exe 40 PID 808 wrote to memory of 1188 808 Qbbfopeg.exe 40 PID 808 wrote to memory of 1188 808 Qbbfopeg.exe 40 PID 808 wrote to memory of 1188 808 Qbbfopeg.exe 40 PID 1188 wrote to memory of 2724 1188 Qeqbkkej.exe 41 PID 1188 wrote to memory of 2724 1188 Qeqbkkej.exe 41 PID 1188 wrote to memory of 2724 1188 Qeqbkkej.exe 41 PID 1188 wrote to memory of 2724 1188 Qeqbkkej.exe 41 PID 2724 wrote to memory of 2452 2724 Qdccfh32.exe 42 PID 2724 wrote to memory of 2452 2724 Qdccfh32.exe 42 PID 2724 wrote to memory of 2452 2724 Qdccfh32.exe 42 PID 2724 wrote to memory of 2452 2724 Qdccfh32.exe 42 PID 2452 wrote to memory of 876 2452 Qjmkcbcb.exe 43 PID 2452 wrote to memory of 876 2452 Qjmkcbcb.exe 43 PID 2452 wrote to memory of 876 2452 Qjmkcbcb.exe 43 PID 2452 wrote to memory of 876 2452 Qjmkcbcb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ac86091473a85852a4f137fd63545d40_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe35⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe36⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe38⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe39⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe40⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe42⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe44⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe46⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe48⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe50⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe57⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe58⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe59⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe60⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe61⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe63⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe64⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe65⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe66⤵PID:1156
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe67⤵PID:576
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe68⤵PID:1608
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe69⤵PID:2948
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe70⤵
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe71⤵PID:1716
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe72⤵PID:3012
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe73⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe75⤵PID:2008
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe77⤵PID:1444
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe78⤵PID:2584
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe79⤵PID:2444
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe80⤵PID:1164
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe81⤵PID:1872
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe82⤵PID:580
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe83⤵PID:2012
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe85⤵PID:2988
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe86⤵PID:1424
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe87⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe90⤵PID:2460
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe91⤵PID:2516
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe93⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe94⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe95⤵PID:1940
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe96⤵PID:1380
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe98⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe99⤵PID:2184
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe100⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe101⤵PID:324
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe102⤵PID:784
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe103⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe104⤵PID:684
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe107⤵PID:240
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe108⤵PID:2472
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe109⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe111⤵PID:1960
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe112⤵PID:2596
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe113⤵PID:2140
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe114⤵PID:2600
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe115⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe117⤵PID:1656
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe119⤵PID:1552
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe120⤵PID:2512
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe121⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-