Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 06:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe
-
Size
144KB
-
MD5
39d631958f5bcba810fc6cfc632ff950
-
SHA1
37c83ffd69234d63fb9aabe201efbe23ceb59af8
-
SHA256
95bffaeb564c831225d6e41c4b564c5121cf38961ca340016cce462cfd9b7c0c
-
SHA512
a06222e1541eca4911e14e06a53cbd51e0e11c462072898900fe44c640a112304de3a42012f4a6ae38ebaf42504392322ff8099e8a31a08dea3658c23fc6d301
-
SSDEEP
3072:M1gqvEyPnd46kEHafPPXuhuXGQmVDeCyqOGbo92ynnbb:PqvEMndfTHwPXuapoaCPXbo92ynn3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbonoiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakbjibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjkcplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafheedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaihlapi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbonoiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giffeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdimmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copfbfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpbkgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefipfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libgjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqlafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefipfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iffeoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igainn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqqdag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fedplc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkhmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkdqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlifi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2788 Ehqccl32.exe 2540 Eaihlapi.exe 2800 Empiab32.exe 2756 Fdianmmj.exe 2632 Fmbefbck.exe 2296 Fbonoiab.exe 544 Fiifkc32.exe 2620 Fpbohmpl.exe 2252 Fadkpe32.exe 1584 Fklpik32.exe 1552 Fafheedg.exe 1116 Fdddaqck.exe 2028 Fmmhjf32.exe 2752 Fedplc32.exe 1612 Gkaidjhe.exe 336 Gdimmp32.exe 1668 Giffeg32.exe 2188 Gppnaaej.exe 1480 Gmdoke32.exe 112 Gpbkgq32.exe 1872 Geocph32.exe 2240 Gnfkqe32.exe 1248 Gohhhmgo.exe 1656 Gccdil32.exe 624 Gimlefge.exe 1532 Gllhaa32.exe 2952 Hceqnlnf.exe 2644 Hedmkgmi.exe 2360 Hlnega32.exe 2636 Hchmdklc.exe 2372 Hefipfkg.exe 2424 Hheelbjj.exe 2340 Hoonilag.exe 2608 Hfifff32.exe 1324 Hhgbba32.exe 1260 Hoakolod.exe 288 Haogkgoh.exe 1360 Hdncgbnl.exe 1564 Hhioga32.exe 2992 Hbbcpg32.exe 1980 Hqddldcp.exe 480 Hgolhn32.exe 1100 Hjmhdi32.exe 2944 Inhdehbj.exe 1548 Imkdqe32.exe 1692 Idblbb32.exe 108 Igainn32.exe 1820 Ijoeji32.exe 328 Inkakhpg.exe 1652 Ichico32.exe 1436 Iffeoj32.exe 2844 Iidbke32.exe 2456 Iqljlb32.exe 2376 Icjfhn32.exe 2384 Ijdnehci.exe 2416 Ikekmq32.exe 2680 Ioagno32.exe 2692 Ifkojiim.exe 2704 Ikggbpgd.exe 356 Infdolgh.exe 2260 Ifmlpigj.exe 2776 Jgnhga32.exe 2136 Joepio32.exe 2332 Jnhqdkde.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 2788 Ehqccl32.exe 2788 Ehqccl32.exe 2540 Eaihlapi.exe 2540 Eaihlapi.exe 2800 Empiab32.exe 2800 Empiab32.exe 2756 Fdianmmj.exe 2756 Fdianmmj.exe 2632 Fmbefbck.exe 2632 Fmbefbck.exe 2296 Fbonoiab.exe 2296 Fbonoiab.exe 544 Fiifkc32.exe 544 Fiifkc32.exe 2620 Fpbohmpl.exe 2620 Fpbohmpl.exe 2252 Fadkpe32.exe 2252 Fadkpe32.exe 1584 Fklpik32.exe 1584 Fklpik32.exe 1552 Fafheedg.exe 1552 Fafheedg.exe 1116 Fdddaqck.exe 1116 Fdddaqck.exe 2028 Fmmhjf32.exe 2028 Fmmhjf32.exe 2752 Fedplc32.exe 2752 Fedplc32.exe 1612 Gkaidjhe.exe 1612 Gkaidjhe.exe 336 Gdimmp32.exe 336 Gdimmp32.exe 1668 Giffeg32.exe 1668 Giffeg32.exe 2188 Gppnaaej.exe 2188 Gppnaaej.exe 1480 Gmdoke32.exe 1480 Gmdoke32.exe 112 Gpbkgq32.exe 112 Gpbkgq32.exe 1872 Geocph32.exe 1872 Geocph32.exe 2240 Gnfkqe32.exe 2240 Gnfkqe32.exe 1248 Gohhhmgo.exe 1248 Gohhhmgo.exe 1656 Gccdil32.exe 1656 Gccdil32.exe 624 Gimlefge.exe 624 Gimlefge.exe 1532 Gllhaa32.exe 1532 Gllhaa32.exe 2952 Hceqnlnf.exe 2952 Hceqnlnf.exe 2644 Hedmkgmi.exe 2644 Hedmkgmi.exe 2360 Hlnega32.exe 2360 Hlnega32.exe 2636 Hchmdklc.exe 2636 Hchmdklc.exe 2372 Hefipfkg.exe 2372 Hefipfkg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Haogkgoh.exe Hoakolod.exe File created C:\Windows\SysWOW64\Kpeliikc.dll Abbbnchb.exe File created C:\Windows\SysWOW64\Ikkbnm32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Pikpgpjm.dll Fdddaqck.exe File opened for modification C:\Windows\SysWOW64\Hqddldcp.exe Hbbcpg32.exe File created C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File created C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Iidbke32.exe Iffeoj32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Gacpdbej.exe File opened for modification C:\Windows\SysWOW64\Gpbkgq32.exe Gmdoke32.exe File created C:\Windows\SysWOW64\Abbmqhgj.dll Meigpkka.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Ambcae32.dll Egdilkbf.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File created C:\Windows\SysWOW64\Fbonoiab.exe Fmbefbck.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Begeknan.exe File created C:\Windows\SysWOW64\Cfgaiaci.exe Cciemedf.exe File created C:\Windows\SysWOW64\Copfbfjj.exe Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Ffkcbgek.exe File created C:\Windows\SysWOW64\Fklpik32.exe Fadkpe32.exe File created C:\Windows\SysWOW64\Hlbpenqj.dll Llqcfe32.exe File created C:\Windows\SysWOW64\Hfmpcjge.dll Bkfjhd32.exe File created C:\Windows\SysWOW64\Gadkgl32.dll Fehjeo32.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fjlhneio.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Jclomamd.exe Jpqclb32.exe File created C:\Windows\SysWOW64\Ladeqhjd.exe Limmokib.exe File created C:\Windows\SysWOW64\Mhjpaf32.exe Mekdekin.exe File created C:\Windows\SysWOW64\Nbdnoo32.exe Nhlifi32.exe File created C:\Windows\SysWOW64\Edhban32.dll Kbhbom32.exe File created C:\Windows\SysWOW64\Fqpjbf32.dll Cfbhnaho.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gonnhhln.exe File created C:\Windows\SysWOW64\Geocph32.exe Gpbkgq32.exe File opened for modification C:\Windows\SysWOW64\Llccmb32.exe Kdlkld32.exe File opened for modification C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe Djnpnc32.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Ndempa32.dll Libgjj32.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cljcelan.exe File created C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File opened for modification C:\Windows\SysWOW64\Ogfpbeim.exe Odgcfijj.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Bbdocc32.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Dngoibmo.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Nhlifi32.exe File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Ehqccl32.exe 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Fafheedg.exe Fklpik32.exe File created C:\Windows\SysWOW64\Bebkpn32.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Maphhihi.dll Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Gohhhmgo.exe Gnfkqe32.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qagcpljo.exe File opened for modification C:\Windows\SysWOW64\Dqhhknjp.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Dqjepm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4784 4732 WerFault.exe 385 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipboik32.dll" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiich32.dll" Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjikf32.dll" Jcjbgaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngjnfgo.dll" Fedplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbhbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdqafgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldqegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgkbipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkonco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dngoibmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fehjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgqemakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mkhmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmhdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdlkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkdjjal.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkpna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbilenko.dll" Kpcpbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hceqnlnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfkpdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahokfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjejphb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gimlefge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcnad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohkco32.dll" Hlnega32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmgmp32.dll" Nqqdag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfliao32.dll" Fdianmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acccpj32.dll" Haogkgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdianmmj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2788 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2788 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2788 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2788 2924 39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe 28 PID 2788 wrote to memory of 2540 2788 Ehqccl32.exe 29 PID 2788 wrote to memory of 2540 2788 Ehqccl32.exe 29 PID 2788 wrote to memory of 2540 2788 Ehqccl32.exe 29 PID 2788 wrote to memory of 2540 2788 Ehqccl32.exe 29 PID 2540 wrote to memory of 2800 2540 Eaihlapi.exe 30 PID 2540 wrote to memory of 2800 2540 Eaihlapi.exe 30 PID 2540 wrote to memory of 2800 2540 Eaihlapi.exe 30 PID 2540 wrote to memory of 2800 2540 Eaihlapi.exe 30 PID 2800 wrote to memory of 2756 2800 Empiab32.exe 31 PID 2800 wrote to memory of 2756 2800 Empiab32.exe 31 PID 2800 wrote to memory of 2756 2800 Empiab32.exe 31 PID 2800 wrote to memory of 2756 2800 Empiab32.exe 31 PID 2756 wrote to memory of 2632 2756 Fdianmmj.exe 32 PID 2756 wrote to memory of 2632 2756 Fdianmmj.exe 32 PID 2756 wrote to memory of 2632 2756 Fdianmmj.exe 32 PID 2756 wrote to memory of 2632 2756 Fdianmmj.exe 32 PID 2632 wrote to memory of 2296 2632 Fmbefbck.exe 33 PID 2632 wrote to memory of 2296 2632 Fmbefbck.exe 33 PID 2632 wrote to memory of 2296 2632 Fmbefbck.exe 33 PID 2632 wrote to memory of 2296 2632 Fmbefbck.exe 33 PID 2296 wrote to memory of 544 2296 Fbonoiab.exe 34 PID 2296 wrote to memory of 544 2296 Fbonoiab.exe 34 PID 2296 wrote to memory of 544 2296 Fbonoiab.exe 34 PID 2296 wrote to memory of 544 2296 Fbonoiab.exe 34 PID 544 wrote to memory of 2620 544 Fiifkc32.exe 35 PID 544 wrote to memory of 2620 544 Fiifkc32.exe 35 PID 544 wrote to memory of 2620 544 Fiifkc32.exe 35 PID 544 wrote to memory of 2620 544 Fiifkc32.exe 35 PID 2620 wrote to memory of 2252 2620 Fpbohmpl.exe 36 PID 2620 wrote to memory of 2252 2620 Fpbohmpl.exe 36 PID 2620 wrote to memory of 2252 2620 Fpbohmpl.exe 36 PID 2620 wrote to memory of 2252 2620 Fpbohmpl.exe 36 PID 2252 wrote to memory of 1584 2252 Fadkpe32.exe 37 PID 2252 wrote to memory of 1584 2252 Fadkpe32.exe 37 PID 2252 wrote to memory of 1584 2252 Fadkpe32.exe 37 PID 2252 wrote to memory of 1584 2252 Fadkpe32.exe 37 PID 1584 wrote to memory of 1552 1584 Fklpik32.exe 38 PID 1584 wrote to memory of 1552 1584 Fklpik32.exe 38 PID 1584 wrote to memory of 1552 1584 Fklpik32.exe 38 PID 1584 wrote to memory of 1552 1584 Fklpik32.exe 38 PID 1552 wrote to memory of 1116 1552 Fafheedg.exe 39 PID 1552 wrote to memory of 1116 1552 Fafheedg.exe 39 PID 1552 wrote to memory of 1116 1552 Fafheedg.exe 39 PID 1552 wrote to memory of 1116 1552 Fafheedg.exe 39 PID 1116 wrote to memory of 2028 1116 Fdddaqck.exe 40 PID 1116 wrote to memory of 2028 1116 Fdddaqck.exe 40 PID 1116 wrote to memory of 2028 1116 Fdddaqck.exe 40 PID 1116 wrote to memory of 2028 1116 Fdddaqck.exe 40 PID 2028 wrote to memory of 2752 2028 Fmmhjf32.exe 41 PID 2028 wrote to memory of 2752 2028 Fmmhjf32.exe 41 PID 2028 wrote to memory of 2752 2028 Fmmhjf32.exe 41 PID 2028 wrote to memory of 2752 2028 Fmmhjf32.exe 41 PID 2752 wrote to memory of 1612 2752 Fedplc32.exe 42 PID 2752 wrote to memory of 1612 2752 Fedplc32.exe 42 PID 2752 wrote to memory of 1612 2752 Fedplc32.exe 42 PID 2752 wrote to memory of 1612 2752 Fedplc32.exe 42 PID 1612 wrote to memory of 336 1612 Gkaidjhe.exe 43 PID 1612 wrote to memory of 336 1612 Gkaidjhe.exe 43 PID 1612 wrote to memory of 336 1612 Gkaidjhe.exe 43 PID 1612 wrote to memory of 336 1612 Gkaidjhe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\39d631958f5bcba810fc6cfc632ff950_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ehqccl32.exeC:\Windows\system32\Ehqccl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Eaihlapi.exeC:\Windows\system32\Eaihlapi.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Empiab32.exeC:\Windows\system32\Empiab32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Fdianmmj.exeC:\Windows\system32\Fdianmmj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Fmbefbck.exeC:\Windows\system32\Fmbefbck.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fbonoiab.exeC:\Windows\system32\Fbonoiab.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Fiifkc32.exeC:\Windows\system32\Fiifkc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Fpbohmpl.exeC:\Windows\system32\Fpbohmpl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fadkpe32.exeC:\Windows\system32\Fadkpe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Fklpik32.exeC:\Windows\system32\Fklpik32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fafheedg.exeC:\Windows\system32\Fafheedg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Fdddaqck.exeC:\Windows\system32\Fdddaqck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gkaidjhe.exeC:\Windows\system32\Gkaidjhe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Gdimmp32.exeC:\Windows\system32\Gdimmp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Gppnaaej.exeC:\Windows\system32\Gppnaaej.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Gmdoke32.exeC:\Windows\system32\Gmdoke32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Gpbkgq32.exeC:\Windows\system32\Gpbkgq32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Gnfkqe32.exeC:\Windows\system32\Gnfkqe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Gimlefge.exeC:\Windows\system32\Gimlefge.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Gllhaa32.exeC:\Windows\system32\Gllhaa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Hceqnlnf.exeC:\Windows\system32\Hceqnlnf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe33⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe34⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe35⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe36⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe39⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe40⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe42⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe43⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe45⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe47⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe49⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe50⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe51⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe53⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe54⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe55⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe56⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe57⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe59⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe60⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe61⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe62⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe63⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe65⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe66⤵PID:2876
-
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe67⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe68⤵PID:332
-
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe69⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe70⤵PID:1460
-
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe71⤵PID:1684
-
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe72⤵
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe73⤵PID:2920
-
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe74⤵PID:2812
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe75⤵PID:2656
-
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe76⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe77⤵PID:2932
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe78⤵PID:1464
-
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe79⤵PID:1756
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe80⤵PID:1280
-
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe81⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe82⤵PID:2012
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe83⤵PID:3048
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe84⤵PID:968
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe86⤵PID:1964
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe88⤵PID:3068
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe89⤵PID:2684
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe90⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe91⤵PID:2652
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe92⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe93⤵PID:1544
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe96⤵PID:1748
-
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe97⤵PID:2272
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe99⤵PID:600
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe100⤵PID:2176
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe101⤵PID:916
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe102⤵PID:2432
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe103⤵PID:1936
-
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe104⤵PID:2532
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe105⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe106⤵PID:1948
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe107⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe108⤵PID:2120
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe109⤵PID:1972
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe110⤵PID:2732
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe111⤵PID:2280
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe112⤵PID:2664
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe114⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1252 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe116⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe117⤵PID:2628
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe118⤵PID:2884
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-