Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 14:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe
-
Size
96KB
-
MD5
3838ef6a25456f5f006b84b0da398670
-
SHA1
a37b1d570eeee64314f338e8f152d2c3f030d441
-
SHA256
1eb98af8b4c8d19260996e7ac45af08584f5740fb92a422091657fdadedce212
-
SHA512
c917d1ebcccd320dbfb48425ccf5f994dc69451b42f70ef02d93e7585bd2cd0c1f49fe90e70fedd9c2489324fa053e64aa4ed863ab7785eeb67371ba2e8d16cb
-
SSDEEP
1536:Ro36awYeuBg16+6fI0o1csEoNk6qsj+g/0ECeEUNIIK2tjw74S7V+5pUMv84WMRc:15WY6fIh1c56qsi0Ce89iM4Sp+7H7wWO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmbnkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Logbhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjglbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbhok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndhipoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfghif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccbqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhffaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncahjgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfokbnip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2356 Qnigda32.exe 2220 Ajphib32.exe 2544 Affhncfc.exe 2588 Aalmklfi.exe 2012 Aigaon32.exe 3016 Admemg32.exe 2460 Aiinen32.exe 1704 Aoffmd32.exe 2824 Aepojo32.exe 1500 Bbdocc32.exe 1608 Bhahlj32.exe 1248 Bbflib32.exe 1760 Bloqah32.exe 2264 Balijo32.exe 2528 Bhfagipa.exe 576 Banepo32.exe 2412 Bjijdadm.exe 1796 Bnefdp32.exe 704 Bpcbqk32.exe 2272 Ckignd32.exe 1920 Cgpgce32.exe 948 Cfbhnaho.exe 1728 Cgbdhd32.exe 1776 Cfeddafl.exe 2864 Clomqk32.exe 1752 Cbkeib32.exe 2880 Copfbfjj.exe 2324 Cbnbobin.exe 1804 Cndbcc32.exe 2984 Dkhcmgnl.exe 2584 Dbbkja32.exe 2700 Ddagfm32.exe 2596 Dkkpbgli.exe 2664 Dbehoa32.exe 2508 Dgaqgh32.exe 2244 Djpmccqq.exe 2532 Ddeaalpg.exe 1428 Dmafennb.exe 2928 Djefobmk.exe 1312 Epaogi32.exe 1284 Ejgcdb32.exe 1956 Ekholjqg.exe 2004 Ecpgmhai.exe 384 Eilpeooq.exe 1740 Ekklaj32.exe 2416 Epfhbign.exe 2624 Elmigj32.exe 1748 Eiaiqn32.exe 768 Ejbfhfaj.exe 764 Ennaieib.exe 1432 Fehjeo32.exe 2280 Fhffaj32.exe 2876 Fjdbnf32.exe 1660 Fmcoja32.exe 2236 Fejgko32.exe 2576 Ffkcbgek.exe 2712 Fnbkddem.exe 2456 Fmekoalh.exe 2812 Fdoclk32.exe 1140 Fjilieka.exe 2792 Filldb32.exe 2688 Facdeo32.exe 2676 Fbdqmghm.exe 1780 Ffpmnf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 2356 Qnigda32.exe 2356 Qnigda32.exe 2220 Ajphib32.exe 2220 Ajphib32.exe 2544 Affhncfc.exe 2544 Affhncfc.exe 2588 Aalmklfi.exe 2588 Aalmklfi.exe 2012 Aigaon32.exe 2012 Aigaon32.exe 3016 Admemg32.exe 3016 Admemg32.exe 2460 Aiinen32.exe 2460 Aiinen32.exe 1704 Aoffmd32.exe 1704 Aoffmd32.exe 2824 Aepojo32.exe 2824 Aepojo32.exe 1500 Bbdocc32.exe 1500 Bbdocc32.exe 1608 Bhahlj32.exe 1608 Bhahlj32.exe 1248 Bbflib32.exe 1248 Bbflib32.exe 1760 Bloqah32.exe 1760 Bloqah32.exe 2264 Balijo32.exe 2264 Balijo32.exe 2528 Bhfagipa.exe 2528 Bhfagipa.exe 576 Banepo32.exe 576 Banepo32.exe 2412 Bjijdadm.exe 2412 Bjijdadm.exe 1796 Bnefdp32.exe 1796 Bnefdp32.exe 704 Bpcbqk32.exe 704 Bpcbqk32.exe 2272 Ckignd32.exe 2272 Ckignd32.exe 1920 Cgpgce32.exe 1920 Cgpgce32.exe 948 Cfbhnaho.exe 948 Cfbhnaho.exe 1728 Cgbdhd32.exe 1728 Cgbdhd32.exe 1776 Cfeddafl.exe 1776 Cfeddafl.exe 2864 Clomqk32.exe 2864 Clomqk32.exe 1752 Cbkeib32.exe 1752 Cbkeib32.exe 2880 Copfbfjj.exe 2880 Copfbfjj.exe 2324 Cbnbobin.exe 2324 Cbnbobin.exe 1804 Cndbcc32.exe 1804 Cndbcc32.exe 2984 Dkhcmgnl.exe 2984 Dkhcmgnl.exe 2584 Dbbkja32.exe 2584 Dbbkja32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dbbkja32.exe Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Nhnijp32.dll Idhopq32.exe File created C:\Windows\SysWOW64\Lmolnh32.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Jaqddb32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Ajphib32.exe File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe Gbnccfpb.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Leonofpp.exe File opened for modification C:\Windows\SysWOW64\Iakdqgfi.dll Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Amhpnkch.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Epjomppp.dll Djklnnaj.exe File opened for modification C:\Windows\SysWOW64\Bemgilhh.exe Baakhm32.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cldooj32.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File opened for modification C:\Windows\SysWOW64\Ghlpli32.dll Ihankokm.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Aefeijle.exe Afcenm32.exe File opened for modification C:\Windows\SysWOW64\Iapebchh.exe Ioaifhid.exe File created C:\Windows\SysWOW64\Mencccop.exe Mbpgggol.exe File created C:\Windows\SysWOW64\Emkaol32.exe Efaibbij.exe File created C:\Windows\SysWOW64\Fcefji32.exe Fagjnn32.exe File created C:\Windows\SysWOW64\Cmbmkg32.dll Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Ikddbj32.exe Igihbknb.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Qmfgjh32.exe Pgioaa32.exe File created C:\Windows\SysWOW64\Nmpnhdfc.exe Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Ecpgmhai.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Iajcde32.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Nhfipcid.exe File created C:\Windows\SysWOW64\Kmccegik.dll Omdneebf.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Abhimnma.exe Apimacnn.exe File created C:\Windows\SysWOW64\Fphafl32.exe Fioija32.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Iemkjqde.dll Leonofpp.exe File created C:\Windows\SysWOW64\Qiejdkkn.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Ikkjbe32.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Jjbpgd32.exe Jgcdki32.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mlibjc32.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Ncjqhmkm.exe File created C:\Windows\SysWOW64\Iieipa32.dll Fjongcbl.exe File created C:\Windows\SysWOW64\Jhljdm32.exe Jfnnha32.exe File created C:\Windows\SysWOW64\Hendhe32.dll Mbpgggol.exe File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Bahbme32.dll Jqfffqpm.exe File created C:\Windows\SysWOW64\Amkoie32.dll Okikfagn.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Fagjnn32.exe Fnhnbb32.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Cadhnmnm.exe File opened for modification C:\Windows\SysWOW64\Fadminnn.exe Fbamma32.exe File created C:\Windows\SysWOW64\Khdlmj32.dll Ilcmjl32.exe File created C:\Windows\SysWOW64\Diaagb32.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Gebbnpfp.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Igchlf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5652 5628 WerFault.exe 493 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efaibbij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" Kohkfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npagjpcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Ngpolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqokqf.dll" Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdehon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll" Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikfj32.dll" Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inqcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojchmpcd.dll" Jbgbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgfckcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqfffqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Ajjcbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljkomfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmbhok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfahhm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2356 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 28 PID 1032 wrote to memory of 2356 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 28 PID 1032 wrote to memory of 2356 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 28 PID 1032 wrote to memory of 2356 1032 3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2220 2356 Qnigda32.exe 29 PID 2356 wrote to memory of 2220 2356 Qnigda32.exe 29 PID 2356 wrote to memory of 2220 2356 Qnigda32.exe 29 PID 2356 wrote to memory of 2220 2356 Qnigda32.exe 29 PID 2220 wrote to memory of 2544 2220 Ajphib32.exe 30 PID 2220 wrote to memory of 2544 2220 Ajphib32.exe 30 PID 2220 wrote to memory of 2544 2220 Ajphib32.exe 30 PID 2220 wrote to memory of 2544 2220 Ajphib32.exe 30 PID 2544 wrote to memory of 2588 2544 Affhncfc.exe 31 PID 2544 wrote to memory of 2588 2544 Affhncfc.exe 31 PID 2544 wrote to memory of 2588 2544 Affhncfc.exe 31 PID 2544 wrote to memory of 2588 2544 Affhncfc.exe 31 PID 2588 wrote to memory of 2012 2588 Aalmklfi.exe 32 PID 2588 wrote to memory of 2012 2588 Aalmklfi.exe 32 PID 2588 wrote to memory of 2012 2588 Aalmklfi.exe 32 PID 2588 wrote to memory of 2012 2588 Aalmklfi.exe 32 PID 2012 wrote to memory of 3016 2012 Aigaon32.exe 33 PID 2012 wrote to memory of 3016 2012 Aigaon32.exe 33 PID 2012 wrote to memory of 3016 2012 Aigaon32.exe 33 PID 2012 wrote to memory of 3016 2012 Aigaon32.exe 33 PID 3016 wrote to memory of 2460 3016 Admemg32.exe 34 PID 3016 wrote to memory of 2460 3016 Admemg32.exe 34 PID 3016 wrote to memory of 2460 3016 Admemg32.exe 34 PID 3016 wrote to memory of 2460 3016 Admemg32.exe 34 PID 2460 wrote to memory of 1704 2460 Aiinen32.exe 35 PID 2460 wrote to memory of 1704 2460 Aiinen32.exe 35 PID 2460 wrote to memory of 1704 2460 Aiinen32.exe 35 PID 2460 wrote to memory of 1704 2460 Aiinen32.exe 35 PID 1704 wrote to memory of 2824 1704 Aoffmd32.exe 36 PID 1704 wrote to memory of 2824 1704 Aoffmd32.exe 36 PID 1704 wrote to memory of 2824 1704 Aoffmd32.exe 36 PID 1704 wrote to memory of 2824 1704 Aoffmd32.exe 36 PID 2824 wrote to memory of 1500 2824 Aepojo32.exe 37 PID 2824 wrote to memory of 1500 2824 Aepojo32.exe 37 PID 2824 wrote to memory of 1500 2824 Aepojo32.exe 37 PID 2824 wrote to memory of 1500 2824 Aepojo32.exe 37 PID 1500 wrote to memory of 1608 1500 Bbdocc32.exe 38 PID 1500 wrote to memory of 1608 1500 Bbdocc32.exe 38 PID 1500 wrote to memory of 1608 1500 Bbdocc32.exe 38 PID 1500 wrote to memory of 1608 1500 Bbdocc32.exe 38 PID 1608 wrote to memory of 1248 1608 Bhahlj32.exe 39 PID 1608 wrote to memory of 1248 1608 Bhahlj32.exe 39 PID 1608 wrote to memory of 1248 1608 Bhahlj32.exe 39 PID 1608 wrote to memory of 1248 1608 Bhahlj32.exe 39 PID 1248 wrote to memory of 1760 1248 Bbflib32.exe 40 PID 1248 wrote to memory of 1760 1248 Bbflib32.exe 40 PID 1248 wrote to memory of 1760 1248 Bbflib32.exe 40 PID 1248 wrote to memory of 1760 1248 Bbflib32.exe 40 PID 1760 wrote to memory of 2264 1760 Bloqah32.exe 41 PID 1760 wrote to memory of 2264 1760 Bloqah32.exe 41 PID 1760 wrote to memory of 2264 1760 Bloqah32.exe 41 PID 1760 wrote to memory of 2264 1760 Bloqah32.exe 41 PID 2264 wrote to memory of 2528 2264 Balijo32.exe 42 PID 2264 wrote to memory of 2528 2264 Balijo32.exe 42 PID 2264 wrote to memory of 2528 2264 Balijo32.exe 42 PID 2264 wrote to memory of 2528 2264 Balijo32.exe 42 PID 2528 wrote to memory of 576 2528 Bhfagipa.exe 43 PID 2528 wrote to memory of 576 2528 Bhfagipa.exe 43 PID 2528 wrote to memory of 576 2528 Bhfagipa.exe 43 PID 2528 wrote to memory of 576 2528 Bhfagipa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3838ef6a25456f5f006b84b0da398670_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1796 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe33⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe34⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe35⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe37⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe39⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe40⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe41⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe43⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe45⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe48⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe50⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe51⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe52⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe55⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe60⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe63⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe64⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe67⤵PID:2232
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe68⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe69⤵PID:2396
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe70⤵PID:1352
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe74⤵PID:1604
-
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe75⤵PID:1668
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe76⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe78⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe79⤵PID:3020
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe80⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe82⤵PID:1620
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe84⤵PID:2332
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe86⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe87⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe88⤵PID:612
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe89⤵PID:2996
-
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe90⤵PID:3024
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe91⤵PID:1584
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe92⤵PID:2144
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe96⤵PID:2900
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe97⤵PID:2772
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe98⤵PID:1120
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe100⤵PID:984
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe102⤵PID:1088
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe103⤵PID:1528
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe104⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe105⤵PID:2884
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:636 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe107⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe108⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe109⤵PID:2628
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe111⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe112⤵PID:2756
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe113⤵PID:2672
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe114⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe115⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe116⤵
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe118⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe119⤵PID:2080
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe120⤵PID:1792
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-