Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe
-
Size
322KB
-
MD5
d62111b0da25aa5c95c540e6be0669e0
-
SHA1
d97fe10bb42b54392ddd3cae4cb397746dc24266
-
SHA256
12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8
-
SHA512
29a13d56e7cbd73e907742a8e003e6ced610a03fa2b3de123efbcce4a193749bd3086f9574929b61d8a708d5021726eb2782743921cdcc9e7fec81a60137301f
-
SSDEEP
1536:J/5RPd3FsXXIUXBarWeHgNxzRQ4ETmDhdF+PhJFTq1dlCsTx4LB:J/5RP5FsHFKWeHue3SVGZ3Odl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmneda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnkicn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcpofbjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fcjcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kincipnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inkccpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfgdhjmk.exe -
Executes dropped EXE 64 IoCs
pid Process 2064 Bnbjopoi.exe 2052 Bgknheej.exe 2612 Cljcelan.exe 2200 Cfbhnaho.exe 3000 Cjpqdp32.exe 2424 Cbkeib32.exe 2928 Cckace32.exe 2644 Clcflkic.exe 2776 Ddokpmfo.exe 1772 Dngoibmo.exe 1356 Djnpnc32.exe 2656 Dcfdgiid.exe 1112 Dqjepm32.exe 2972 Dnneja32.exe 1932 Dgfjbgmh.exe 2504 Eqonkmdh.exe 1916 Emeopn32.exe 1760 Ebbgid32.exe 1948 Eeqdep32.exe 1272 Epfhbign.exe 336 Efppoc32.exe 780 Egamfkdh.exe 2080 Eajaoq32.exe 2348 Eloemi32.exe 2364 Ealnephf.exe 2100 Flabbihl.exe 2344 Fnpnndgp.exe 1644 Fcmgfkeg.exe 1604 Fmekoalh.exe 2568 Faagpp32.exe 2440 Fhkpmjln.exe 2460 Fmhheqje.exe 2468 Ffpmnf32.exe 1884 Fjlhneio.exe 2740 Fddmgjpo.exe 2792 Fiaeoang.exe 1856 Gonnhhln.exe 1432 Gbijhg32.exe 1228 Ghfbqn32.exe 1176 Gopkmhjk.exe 1668 Gieojq32.exe 2892 Gbnccfpb.exe 2196 Ghkllmoi.exe 1400 Gmgdddmq.exe 2936 Gacpdbej.exe 1700 Ghmiam32.exe 2272 Gogangdc.exe 552 Gmjaic32.exe 3032 Gphmeo32.exe 1396 Hgbebiao.exe 316 Hknach32.exe 2308 Hahjpbad.exe 2184 Hcifgjgc.exe 2684 Hkpnhgge.exe 2672 Hlakpp32.exe 2524 Hdhbam32.exe 2452 Hggomh32.exe 3004 Hnagjbdf.exe 2508 Hpocfncj.exe 892 Hcnpbi32.exe 868 Hhjhkq32.exe 2380 Hlfdkoin.exe 852 Hcplhi32.exe 2032 Henidd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 2064 Bnbjopoi.exe 2064 Bnbjopoi.exe 2052 Bgknheej.exe 2052 Bgknheej.exe 2612 Cljcelan.exe 2612 Cljcelan.exe 2200 Cfbhnaho.exe 2200 Cfbhnaho.exe 3000 Cjpqdp32.exe 3000 Cjpqdp32.exe 2424 Cbkeib32.exe 2424 Cbkeib32.exe 2928 Cckace32.exe 2928 Cckace32.exe 2644 Clcflkic.exe 2644 Clcflkic.exe 2776 Ddokpmfo.exe 2776 Ddokpmfo.exe 1772 Dngoibmo.exe 1772 Dngoibmo.exe 1356 Djnpnc32.exe 1356 Djnpnc32.exe 2656 Dcfdgiid.exe 2656 Dcfdgiid.exe 1112 Dqjepm32.exe 1112 Dqjepm32.exe 2972 Dnneja32.exe 2972 Dnneja32.exe 1932 Dgfjbgmh.exe 1932 Dgfjbgmh.exe 2504 Eqonkmdh.exe 2504 Eqonkmdh.exe 1916 Emeopn32.exe 1916 Emeopn32.exe 1760 Ebbgid32.exe 1760 Ebbgid32.exe 1948 Eeqdep32.exe 1948 Eeqdep32.exe 1272 Epfhbign.exe 1272 Epfhbign.exe 336 Efppoc32.exe 336 Efppoc32.exe 780 Egamfkdh.exe 780 Egamfkdh.exe 2080 Eajaoq32.exe 2080 Eajaoq32.exe 2348 Eloemi32.exe 2348 Eloemi32.exe 2364 Ealnephf.exe 2364 Ealnephf.exe 2100 Flabbihl.exe 2100 Flabbihl.exe 2344 Fnpnndgp.exe 2344 Fnpnndgp.exe 1644 Fcmgfkeg.exe 1644 Fcmgfkeg.exe 1604 Fmekoalh.exe 1604 Fmekoalh.exe 2568 Faagpp32.exe 2568 Faagpp32.exe 2440 Fhkpmjln.exe 2440 Fhkpmjln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Febfomdd.exe Fbdjbaea.exe File opened for modification C:\Windows\SysWOW64\Lcagpl32.exe Lmgocb32.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Henidd32.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Hogmmjfo.exe Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Lklohbmo.dll Cghggc32.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kincipnk.exe File created C:\Windows\SysWOW64\Ongbcmlc.dll Fcmgfkeg.exe File created C:\Windows\SysWOW64\Jbjochdi.exe Jmmfkafa.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Egoife32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Jooclokl.dll Knjbnh32.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Kconkibf.exe Kmefooki.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Lmebnb32.exe File created C:\Windows\SysWOW64\Fpahiebe.dll Mlfojn32.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mlhkpm32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Fealjk32.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Aekodi32.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Hdnepk32.exe Hpbiommg.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ehgppi32.exe File created C:\Windows\SysWOW64\Opnelabi.dll Haiccald.exe File created C:\Windows\SysWOW64\Ddbddikd.dll Knklagmb.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gbnccfpb.exe File created C:\Windows\SysWOW64\Emjjdbdn.dll Nkiogn32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Mfacfkje.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Jjcpjl32.dll Gphmeo32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Ffhpbacb.exe Fcjcfe32.exe File created C:\Windows\SysWOW64\Cckace32.exe Cbkeib32.exe File opened for modification C:\Windows\SysWOW64\Dcfdgiid.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Epfhbign.exe File created C:\Windows\SysWOW64\Kijbioba.dll Dpbheh32.exe File created C:\Windows\SysWOW64\Aphdelhp.dll Enfenplo.exe File created C:\Windows\SysWOW64\Aaebnq32.dll Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Nlfgbn32.dll Iqopea32.exe File opened for modification C:\Windows\SysWOW64\Gikaio32.exe Gfmemc32.exe File created C:\Windows\SysWOW64\Nkbalifo.exe Nckjkl32.exe File created C:\Windows\SysWOW64\Giegfm32.dll Kconkibf.exe File created C:\Windows\SysWOW64\Kahojc32.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Namqci32.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oqideepg.exe File opened for modification C:\Windows\SysWOW64\Cgcmlcja.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Jocflgga.exe Ileiplhn.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Iggkllpe.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Pjhknm32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Heglio32.exe Hbhomd32.exe File opened for modification C:\Windows\SysWOW64\Hpbiommg.exe Hoamgd32.exe File created C:\Windows\SysWOW64\Mcbjgn32.exe Mijfnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4852 4732 WerFault.exe 448 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ednpej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgjclbdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Bgknheej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Ifcbodli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Naoniipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flehkhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjhjhkh.dll" Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heihnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddljof.dll" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndkpj32.dll" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfqed32.dll" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkopcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihicd32.dll" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Habfipdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkekligg.dll" Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlcgibn.dll" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dlkepi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhkcj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2064 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 28 PID 2076 wrote to memory of 2064 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 28 PID 2076 wrote to memory of 2064 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 28 PID 2076 wrote to memory of 2064 2076 12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2052 2064 Bnbjopoi.exe 29 PID 2064 wrote to memory of 2052 2064 Bnbjopoi.exe 29 PID 2064 wrote to memory of 2052 2064 Bnbjopoi.exe 29 PID 2064 wrote to memory of 2052 2064 Bnbjopoi.exe 29 PID 2052 wrote to memory of 2612 2052 Bgknheej.exe 30 PID 2052 wrote to memory of 2612 2052 Bgknheej.exe 30 PID 2052 wrote to memory of 2612 2052 Bgknheej.exe 30 PID 2052 wrote to memory of 2612 2052 Bgknheej.exe 30 PID 2612 wrote to memory of 2200 2612 Cljcelan.exe 31 PID 2612 wrote to memory of 2200 2612 Cljcelan.exe 31 PID 2612 wrote to memory of 2200 2612 Cljcelan.exe 31 PID 2612 wrote to memory of 2200 2612 Cljcelan.exe 31 PID 2200 wrote to memory of 3000 2200 Cfbhnaho.exe 32 PID 2200 wrote to memory of 3000 2200 Cfbhnaho.exe 32 PID 2200 wrote to memory of 3000 2200 Cfbhnaho.exe 32 PID 2200 wrote to memory of 3000 2200 Cfbhnaho.exe 32 PID 3000 wrote to memory of 2424 3000 Cjpqdp32.exe 33 PID 3000 wrote to memory of 2424 3000 Cjpqdp32.exe 33 PID 3000 wrote to memory of 2424 3000 Cjpqdp32.exe 33 PID 3000 wrote to memory of 2424 3000 Cjpqdp32.exe 33 PID 2424 wrote to memory of 2928 2424 Cbkeib32.exe 34 PID 2424 wrote to memory of 2928 2424 Cbkeib32.exe 34 PID 2424 wrote to memory of 2928 2424 Cbkeib32.exe 34 PID 2424 wrote to memory of 2928 2424 Cbkeib32.exe 34 PID 2928 wrote to memory of 2644 2928 Cckace32.exe 35 PID 2928 wrote to memory of 2644 2928 Cckace32.exe 35 PID 2928 wrote to memory of 2644 2928 Cckace32.exe 35 PID 2928 wrote to memory of 2644 2928 Cckace32.exe 35 PID 2644 wrote to memory of 2776 2644 Clcflkic.exe 36 PID 2644 wrote to memory of 2776 2644 Clcflkic.exe 36 PID 2644 wrote to memory of 2776 2644 Clcflkic.exe 36 PID 2644 wrote to memory of 2776 2644 Clcflkic.exe 36 PID 2776 wrote to memory of 1772 2776 Ddokpmfo.exe 37 PID 2776 wrote to memory of 1772 2776 Ddokpmfo.exe 37 PID 2776 wrote to memory of 1772 2776 Ddokpmfo.exe 37 PID 2776 wrote to memory of 1772 2776 Ddokpmfo.exe 37 PID 1772 wrote to memory of 1356 1772 Dngoibmo.exe 38 PID 1772 wrote to memory of 1356 1772 Dngoibmo.exe 38 PID 1772 wrote to memory of 1356 1772 Dngoibmo.exe 38 PID 1772 wrote to memory of 1356 1772 Dngoibmo.exe 38 PID 1356 wrote to memory of 2656 1356 Djnpnc32.exe 39 PID 1356 wrote to memory of 2656 1356 Djnpnc32.exe 39 PID 1356 wrote to memory of 2656 1356 Djnpnc32.exe 39 PID 1356 wrote to memory of 2656 1356 Djnpnc32.exe 39 PID 2656 wrote to memory of 1112 2656 Dcfdgiid.exe 40 PID 2656 wrote to memory of 1112 2656 Dcfdgiid.exe 40 PID 2656 wrote to memory of 1112 2656 Dcfdgiid.exe 40 PID 2656 wrote to memory of 1112 2656 Dcfdgiid.exe 40 PID 1112 wrote to memory of 2972 1112 Dqjepm32.exe 41 PID 1112 wrote to memory of 2972 1112 Dqjepm32.exe 41 PID 1112 wrote to memory of 2972 1112 Dqjepm32.exe 41 PID 1112 wrote to memory of 2972 1112 Dqjepm32.exe 41 PID 2972 wrote to memory of 1932 2972 Dnneja32.exe 42 PID 2972 wrote to memory of 1932 2972 Dnneja32.exe 42 PID 2972 wrote to memory of 1932 2972 Dnneja32.exe 42 PID 2972 wrote to memory of 1932 2972 Dnneja32.exe 42 PID 1932 wrote to memory of 2504 1932 Dgfjbgmh.exe 43 PID 1932 wrote to memory of 2504 1932 Dgfjbgmh.exe 43 PID 1932 wrote to memory of 2504 1932 Dgfjbgmh.exe 43 PID 1932 wrote to memory of 2504 1932 Dgfjbgmh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\12c45da288a51285945a54eca96f8313a7a50b5446a1e96fcbb5a5e1260085d8_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe33⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe34⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe35⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe36⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe38⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe39⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe40⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe41⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe42⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe46⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe47⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe48⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe52⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe56⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe57⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe59⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe61⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe63⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe66⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe67⤵PID:764
-
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe68⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe69⤵PID:1580
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe70⤵PID:1132
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe71⤵PID:1656
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe72⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe74⤵PID:1608
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe75⤵PID:2188
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe76⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe77⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe79⤵PID:2780
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe80⤵PID:1828
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe81⤵PID:2060
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe82⤵PID:2028
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe83⤵PID:1196
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe84⤵PID:1556
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe87⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe88⤵PID:2724
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe89⤵PID:2300
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe91⤵PID:2416
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe92⤵PID:2628
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe94⤵PID:1188
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe96⤵PID:2968
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe97⤵PID:2964
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe98⤵PID:2156
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe99⤵PID:3020
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe100⤵PID:1032
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe101⤵PID:1680
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe103⤵PID:1516
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe104⤵PID:3044
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe105⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe106⤵PID:2232
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe107⤵PID:2620
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe108⤵PID:1808
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe109⤵PID:1012
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe110⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe112⤵PID:1848
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe113⤵PID:700
-
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe114⤵PID:688
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe115⤵
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe116⤵PID:1688
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe117⤵PID:1872
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe118⤵PID:2604
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe119⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe120⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe121⤵
- Modifies registry class
PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-