Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 23:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe
-
Size
55KB
-
MD5
3391115eebc393788fcae32609fe41d0
-
SHA1
0dc3b8875292482bc55e3b54eb424467d77a6ab6
-
SHA256
f339a02e542159d45af8b2169ee51e494a25517be261ca8bd034ec42ad2a6d39
-
SHA512
d4192b8dd6c434e7c71de517a462e59c82f26441ae4e9895738d7bc18e5c3f4b488f1ebbf8da2b92be9607fe8767cdbe1309ad8cd4beed154843a3fb8eb49f7b
-
SSDEEP
768:kAibeIcPYuJ+Am1gZFfyj2VIfqOO4HWwmglPpZ3ark6U1372p/1H5PoXdnh:eSdo18VyCVcqjsm0PvrB2LR6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecqjpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgdddmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafbec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqijej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemgilhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfbhnaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqpgol32.exe -
Executes dropped EXE 64 IoCs
pid Process 1664 Apcfahio.exe 2492 Ahokfj32.exe 2508 Bpfcgg32.exe 2704 Bebkpn32.exe 2488 Blmdlhmp.exe 2416 Baildokg.exe 2368 Bloqah32.exe 1236 Balijo32.exe 2664 Bghabf32.exe 1568 Bopicc32.exe 2312 Bdlblj32.exe 1556 Bkfjhd32.exe 2040 Bnefdp32.exe 2816 Bpcbqk32.exe 2924 Bcaomf32.exe 668 Cjlgiqbk.exe 1404 Cngcjo32.exe 1736 Cpeofk32.exe 556 Cgpgce32.exe 408 Cfbhnaho.exe 836 Cllpkl32.exe 1880 Cphlljge.exe 816 Cgbdhd32.exe 904 Cfeddafl.exe 1056 Chcqpmep.exe 1992 Cpjiajeb.exe 1960 Cfgaiaci.exe 3056 Claifkkf.exe 1668 Cckace32.exe 2640 Cfinoq32.exe 2624 Ckffgg32.exe 2260 Ddokpmfo.exe 3000 Dgmglh32.exe 764 Dngoibmo.exe 1248 Dqelenlc.exe 2580 Dkkpbgli.exe 1716 Djnpnc32.exe 2088 Dnilobkm.exe 1720 Ddcdkl32.exe 2980 Dcfdgiid.exe 1132 Djpmccqq.exe 1848 Dmoipopd.exe 536 Ddeaalpg.exe 1776 Dgdmmgpj.exe 1608 Djbiicon.exe 1144 Dmafennb.exe 1620 Doobajme.exe 768 Dgfjbgmh.exe 1956 Djefobmk.exe 400 Eihfjo32.exe 1852 Eqonkmdh.exe 1624 Ecmkghcl.exe 2716 Ejgcdb32.exe 2476 Emeopn32.exe 2540 Epdkli32.exe 2592 Ecpgmhai.exe 2356 Ebbgid32.exe 2316 Efncicpm.exe 1604 Eilpeooq.exe 2280 Emhlfmgj.exe 1892 Ekklaj32.exe 2824 Epfhbign.exe 1900 Ebedndfa.exe 3052 Efppoc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 1664 Apcfahio.exe 1664 Apcfahio.exe 2492 Ahokfj32.exe 2492 Ahokfj32.exe 2508 Bpfcgg32.exe 2508 Bpfcgg32.exe 2704 Bebkpn32.exe 2704 Bebkpn32.exe 2488 Blmdlhmp.exe 2488 Blmdlhmp.exe 2416 Baildokg.exe 2416 Baildokg.exe 2368 Bloqah32.exe 2368 Bloqah32.exe 1236 Balijo32.exe 1236 Balijo32.exe 2664 Bghabf32.exe 2664 Bghabf32.exe 1568 Bopicc32.exe 1568 Bopicc32.exe 2312 Bdlblj32.exe 2312 Bdlblj32.exe 1556 Bkfjhd32.exe 1556 Bkfjhd32.exe 2040 Bnefdp32.exe 2040 Bnefdp32.exe 2816 Bpcbqk32.exe 2816 Bpcbqk32.exe 2924 Bcaomf32.exe 2924 Bcaomf32.exe 668 Cjlgiqbk.exe 668 Cjlgiqbk.exe 1404 Cngcjo32.exe 1404 Cngcjo32.exe 1736 Cpeofk32.exe 1736 Cpeofk32.exe 556 Cgpgce32.exe 556 Cgpgce32.exe 408 Cfbhnaho.exe 408 Cfbhnaho.exe 836 Cllpkl32.exe 836 Cllpkl32.exe 1880 Cphlljge.exe 1880 Cphlljge.exe 816 Cgbdhd32.exe 816 Cgbdhd32.exe 904 Cfeddafl.exe 904 Cfeddafl.exe 1056 Chcqpmep.exe 1056 Chcqpmep.exe 1992 Cpjiajeb.exe 1992 Cpjiajeb.exe 1960 Cfgaiaci.exe 1960 Cfgaiaci.exe 3056 Claifkkf.exe 3056 Claifkkf.exe 1668 Cckace32.exe 1668 Cckace32.exe 2640 Cfinoq32.exe 2640 Cfinoq32.exe 2624 Ckffgg32.exe 2624 Ckffgg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egafleqm.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kcfkfo32.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Nlbeqb32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File created C:\Windows\SysWOW64\Dfkjnkib.dll Pggbla32.exe File created C:\Windows\SysWOW64\Qmicohqm.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bdeeqehb.exe File created C:\Windows\SysWOW64\Flojhn32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Bcaomf32.exe Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Npfgpe32.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Okgnab32.exe Omdneebf.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Efcfga32.exe Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Epfhbign.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Kmccegik.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Iifjjk32.dll Dpeekh32.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Blmdlhmp.exe File created C:\Windows\SysWOW64\Cfeoofge.dll Eihfjo32.exe File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Jiakjb32.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mlibjc32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Eloemi32.exe File created C:\Windows\SysWOW64\Hejodhmc.dll Oonafa32.exe File created C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Gojbjm32.dll Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Doehqead.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jgidao32.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kbqecg32.exe File opened for modification C:\Windows\SysWOW64\Mkclhl32.exe Mhdplq32.exe File created C:\Windows\SysWOW64\Qpgpkcpp.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Maoajf32.exe Mihiih32.exe File opened for modification C:\Windows\SysWOW64\Pjcabmga.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Ednpej32.exe Eqbddk32.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Emnndlod.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Ckjpacfp.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kmaled32.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dccagcgk.exe File opened for modification C:\Windows\SysWOW64\Bpfcgg32.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Kklemhne.dll Jmjjea32.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fdapak32.exe File created C:\Windows\SysWOW64\Mgimmm32.exe Mhgmapfi.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dfdjhndl.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Ekhhadmk.exe Egllae32.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Gkihhhnm.exe File opened for modification C:\Windows\SysWOW64\Lldlqakb.exe Kmaled32.exe File created C:\Windows\SysWOW64\Cfiini32.dll Mlmlecec.exe File created C:\Windows\SysWOW64\Milokblc.dll Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Caknol32.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Eofjhkoj.dll Doehqead.exe File created C:\Windows\SysWOW64\Cpjiajeb.exe Chcqpmep.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5872 5560 WerFault.exe 559 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcenlceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkmbmdg.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoich32.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljefkdjq.dll" Kpmlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" Egoife32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll" Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpipp32.dll" Lbcnhjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbcjffka.dll" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" Djbiicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiehea32.dll" Inqcif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eofjhkoj.dll" Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbdhi32.dll" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Enfenplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idklfpon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1844 wrote to memory of 1664 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 28 PID 1844 wrote to memory of 1664 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 28 PID 1844 wrote to memory of 1664 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 28 PID 1844 wrote to memory of 1664 1844 3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe 28 PID 1664 wrote to memory of 2492 1664 Apcfahio.exe 29 PID 1664 wrote to memory of 2492 1664 Apcfahio.exe 29 PID 1664 wrote to memory of 2492 1664 Apcfahio.exe 29 PID 1664 wrote to memory of 2492 1664 Apcfahio.exe 29 PID 2492 wrote to memory of 2508 2492 Ahokfj32.exe 30 PID 2492 wrote to memory of 2508 2492 Ahokfj32.exe 30 PID 2492 wrote to memory of 2508 2492 Ahokfj32.exe 30 PID 2492 wrote to memory of 2508 2492 Ahokfj32.exe 30 PID 2508 wrote to memory of 2704 2508 Bpfcgg32.exe 31 PID 2508 wrote to memory of 2704 2508 Bpfcgg32.exe 31 PID 2508 wrote to memory of 2704 2508 Bpfcgg32.exe 31 PID 2508 wrote to memory of 2704 2508 Bpfcgg32.exe 31 PID 2704 wrote to memory of 2488 2704 Bebkpn32.exe 32 PID 2704 wrote to memory of 2488 2704 Bebkpn32.exe 32 PID 2704 wrote to memory of 2488 2704 Bebkpn32.exe 32 PID 2704 wrote to memory of 2488 2704 Bebkpn32.exe 32 PID 2488 wrote to memory of 2416 2488 Blmdlhmp.exe 33 PID 2488 wrote to memory of 2416 2488 Blmdlhmp.exe 33 PID 2488 wrote to memory of 2416 2488 Blmdlhmp.exe 33 PID 2488 wrote to memory of 2416 2488 Blmdlhmp.exe 33 PID 2416 wrote to memory of 2368 2416 Baildokg.exe 34 PID 2416 wrote to memory of 2368 2416 Baildokg.exe 34 PID 2416 wrote to memory of 2368 2416 Baildokg.exe 34 PID 2416 wrote to memory of 2368 2416 Baildokg.exe 34 PID 2368 wrote to memory of 1236 2368 Bloqah32.exe 35 PID 2368 wrote to memory of 1236 2368 Bloqah32.exe 35 PID 2368 wrote to memory of 1236 2368 Bloqah32.exe 35 PID 2368 wrote to memory of 1236 2368 Bloqah32.exe 35 PID 1236 wrote to memory of 2664 1236 Balijo32.exe 36 PID 1236 wrote to memory of 2664 1236 Balijo32.exe 36 PID 1236 wrote to memory of 2664 1236 Balijo32.exe 36 PID 1236 wrote to memory of 2664 1236 Balijo32.exe 36 PID 2664 wrote to memory of 1568 2664 Bghabf32.exe 37 PID 2664 wrote to memory of 1568 2664 Bghabf32.exe 37 PID 2664 wrote to memory of 1568 2664 Bghabf32.exe 37 PID 2664 wrote to memory of 1568 2664 Bghabf32.exe 37 PID 1568 wrote to memory of 2312 1568 Bopicc32.exe 38 PID 1568 wrote to memory of 2312 1568 Bopicc32.exe 38 PID 1568 wrote to memory of 2312 1568 Bopicc32.exe 38 PID 1568 wrote to memory of 2312 1568 Bopicc32.exe 38 PID 2312 wrote to memory of 1556 2312 Bdlblj32.exe 39 PID 2312 wrote to memory of 1556 2312 Bdlblj32.exe 39 PID 2312 wrote to memory of 1556 2312 Bdlblj32.exe 39 PID 2312 wrote to memory of 1556 2312 Bdlblj32.exe 39 PID 1556 wrote to memory of 2040 1556 Bkfjhd32.exe 40 PID 1556 wrote to memory of 2040 1556 Bkfjhd32.exe 40 PID 1556 wrote to memory of 2040 1556 Bkfjhd32.exe 40 PID 1556 wrote to memory of 2040 1556 Bkfjhd32.exe 40 PID 2040 wrote to memory of 2816 2040 Bnefdp32.exe 41 PID 2040 wrote to memory of 2816 2040 Bnefdp32.exe 41 PID 2040 wrote to memory of 2816 2040 Bnefdp32.exe 41 PID 2040 wrote to memory of 2816 2040 Bnefdp32.exe 41 PID 2816 wrote to memory of 2924 2816 Bpcbqk32.exe 42 PID 2816 wrote to memory of 2924 2816 Bpcbqk32.exe 42 PID 2816 wrote to memory of 2924 2816 Bpcbqk32.exe 42 PID 2816 wrote to memory of 2924 2816 Bpcbqk32.exe 42 PID 2924 wrote to memory of 668 2924 Bcaomf32.exe 43 PID 2924 wrote to memory of 668 2924 Bcaomf32.exe 43 PID 2924 wrote to memory of 668 2924 Bcaomf32.exe 43 PID 2924 wrote to memory of 668 2924 Bcaomf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3391115eebc393788fcae32609fe41d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe33⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe35⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe36⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe37⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe39⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe41⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe42⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe43⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe44⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe45⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe48⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe50⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe52⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe53⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe55⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe56⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe58⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe60⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe61⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe63⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe64⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe67⤵PID:352
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe68⤵PID:1888
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe69⤵PID:952
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe70⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe71⤵PID:872
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe72⤵PID:1612
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe73⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe74⤵PID:3048
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe75⤵PID:1532
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe77⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe78⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe80⤵PID:2420
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe83⤵PID:1548
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe84⤵PID:656
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe85⤵PID:576
-
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe87⤵PID:1256
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe88⤵PID:2256
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe89⤵PID:2156
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe90⤵PID:1840
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe91⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe93⤵PID:880
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe94⤵PID:2532
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe95⤵PID:1512
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe96⤵PID:2044
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe97⤵PID:2028
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe98⤵PID:2876
-
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe99⤵PID:2992
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe100⤵PID:1596
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe101⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe102⤵PID:2064
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe104⤵PID:2460
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe105⤵PID:2900
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe107⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe108⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe111⤵PID:1676
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe113⤵PID:2940
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe114⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe115⤵PID:2212
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe116⤵PID:1552
-
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe117⤵PID:2952
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe118⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe119⤵PID:2568
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe120⤵PID:548
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe121⤵PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-