Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe
-
Size
80KB
-
MD5
1ce34fc8ef82b9e2f2f2cf08e37518a0
-
SHA1
5b0d4b4915c2a1f5690ea0b416ca1d8d364f2978
-
SHA256
4b1d4203365a54f0984a5c5eabad28ac1821d633d7bb4c3adf805ff917619656
-
SHA512
f5fea068341f1ee631a7c3f782b29e4e1400b3d2dcc1e4d04bb402f4c0af442cde2dc8c5ca040c39161245e50b1c4b156c54e324a0b0b6657404dd2a7a770bda
-
SSDEEP
1536:2vcmZ7EhfsMhPhek5rk50rlpF0yUpljZ2LWaIZTJ+7LhkiB0:2JyfsgP6EUpluWaMU7ui
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlmicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdonhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfmcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaebkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khielcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjohmbpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknpkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meicnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foafdoag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhhgkib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbboiip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgmoggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkalhgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poklngnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghmmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emaijk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2076 Beejng32.exe 3068 Behgcf32.exe 2800 Bobhal32.exe 1860 Chkmkacq.exe 2644 Cbdnko32.exe 2592 Cgdcgm32.exe 1976 Cckdlnjg.exe 1504 Dhkiid32.exe 2708 Dnjngk32.exe 832 Dnlkmkpn.exe 1564 Ejehgkdp.exe 1108 Ecpjfq32.exe 1148 Ehmbng32.exe 1744 Ebgclm32.exe 1872 Fbjpblip.exe 1696 Fjeefofk.exe 2296 Fgiepced.exe 1596 Fcbbjcif.exe 1904 Giahhj32.exe 2756 Gcglec32.exe 892 Gfehan32.exe 2912 Ghiaof32.exe 544 Gihniioc.exe 1964 Gdboig32.exe 2968 Hpkldg32.exe 2428 Helngnie.exe 2576 Hflkaq32.exe 2856 Ieagbm32.exe 2728 Iknpkd32.exe 2636 Ihdmihpn.exe 2980 Jeadap32.exe 576 Jlklnjoh.exe 1364 Jlmicj32.exe 2932 Jhdihkcj.exe 1560 Jonbee32.exe 1688 Jlbboiip.exe 1892 Kfjggo32.exe 2520 Knekla32.exe 1500 Khkpijma.exe 1456 Kdbpnk32.exe 2404 Kklikejc.exe 2780 Kcgmoggn.exe 1724 Kjaelaok.exe 324 Kcijeg32.exe 1164 Ljcbaamh.exe 1636 Lfjcfb32.exe 2916 Lkgkoiqc.exe 1012 Lflplbpi.exe 872 Lpedeg32.exe 2432 Lklejh32.exe 2224 Lahmbo32.exe 2764 Makjho32.exe 2744 Mgebdipp.exe 2792 Meicnm32.exe 2144 Mnaggcej.exe 2544 Mjhhld32.exe 520 Mdpldi32.exe 804 Mmhamoho.exe 2140 Mfaefd32.exe 2280 Noljjglk.exe 536 Nfcbldmm.exe 1360 Nlpkdkkd.exe 2460 Nehomq32.exe 2304 Nblpfepo.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 2076 Beejng32.exe 2076 Beejng32.exe 3068 Behgcf32.exe 3068 Behgcf32.exe 2800 Bobhal32.exe 2800 Bobhal32.exe 1860 Chkmkacq.exe 1860 Chkmkacq.exe 2644 Cbdnko32.exe 2644 Cbdnko32.exe 2592 Cgdcgm32.exe 2592 Cgdcgm32.exe 1976 Cckdlnjg.exe 1976 Cckdlnjg.exe 1504 Dhkiid32.exe 1504 Dhkiid32.exe 2708 Dnjngk32.exe 2708 Dnjngk32.exe 832 Dnlkmkpn.exe 832 Dnlkmkpn.exe 1564 Ejehgkdp.exe 1564 Ejehgkdp.exe 1108 Ecpjfq32.exe 1108 Ecpjfq32.exe 1148 Ehmbng32.exe 1148 Ehmbng32.exe 1744 Ebgclm32.exe 1744 Ebgclm32.exe 1872 Fbjpblip.exe 1872 Fbjpblip.exe 1696 Fjeefofk.exe 1696 Fjeefofk.exe 2296 Fgiepced.exe 2296 Fgiepced.exe 1596 Fcbbjcif.exe 1596 Fcbbjcif.exe 1904 Giahhj32.exe 1904 Giahhj32.exe 2756 Gcglec32.exe 2756 Gcglec32.exe 892 Gfehan32.exe 892 Gfehan32.exe 2912 Ghiaof32.exe 2912 Ghiaof32.exe 544 Gihniioc.exe 544 Gihniioc.exe 1964 Gdboig32.exe 1964 Gdboig32.exe 1584 Hmomml32.exe 1584 Hmomml32.exe 2428 Helngnie.exe 2428 Helngnie.exe 2576 Hflkaq32.exe 2576 Hflkaq32.exe 2856 Ieagbm32.exe 2856 Ieagbm32.exe 2728 Iknpkd32.exe 2728 Iknpkd32.exe 2636 Ihdmihpn.exe 2636 Ihdmihpn.exe 2980 Jeadap32.exe 2980 Jeadap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lfmbek32.exe Lkgngb32.exe File opened for modification C:\Windows\SysWOW64\Pljcllqe.exe Pdonhj32.exe File opened for modification C:\Windows\SysWOW64\Ihglhp32.exe Iamdkfnc.exe File created C:\Windows\SysWOW64\Kgclio32.exe Kjokokha.exe File created C:\Windows\SysWOW64\Goackilq.dll Kfjggo32.exe File opened for modification C:\Windows\SysWOW64\Kcgmoggn.exe Kklikejc.exe File created C:\Windows\SysWOW64\Ibfaopoi.exe Iinmfk32.exe File created C:\Windows\SysWOW64\Fbieeo32.dll Kbbobkol.exe File opened for modification C:\Windows\SysWOW64\Lfbdci32.exe Lpflkb32.exe File opened for modification C:\Windows\SysWOW64\Ojmpooah.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Lcohahpn.exe Lifcib32.exe File created C:\Windows\SysWOW64\Ghiaof32.exe Gfehan32.exe File created C:\Windows\SysWOW64\Dpjbgh32.exe Dokfme32.exe File created C:\Windows\SysWOW64\Cgidfcdk.exe Bbllnlfd.exe File opened for modification C:\Windows\SysWOW64\Cmbalfem.exe Cdjmcpnl.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Foafdoag.exe File created C:\Windows\SysWOW64\Geeemeif.exe Fgadda32.exe File created C:\Windows\SysWOW64\Iidgma32.dll Hgbfnngi.exe File created C:\Windows\SysWOW64\Jlmicj32.exe Jlklnjoh.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Allefimb.exe File created C:\Windows\SysWOW64\Nnmlcp32.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Ifoqjo32.exe Hmglajcd.exe File opened for modification C:\Windows\SysWOW64\Ogiaif32.exe Omqlpp32.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Dhkiid32.exe Cckdlnjg.exe File opened for modification C:\Windows\SysWOW64\Onocmadb.exe Ocjophem.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Edibhmml.exe File created C:\Windows\SysWOW64\Homdhjai.exe Hfepod32.exe File created C:\Windows\SysWOW64\Akabgebj.exe Afdiondb.exe File created C:\Windows\SysWOW64\Kfjggo32.exe Jlbboiip.exe File created C:\Windows\SysWOW64\Ggogki32.dll Nbbbdcgi.exe File opened for modification C:\Windows\SysWOW64\Pghfnc32.exe Paknelgk.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jmfcop32.exe File created C:\Windows\SysWOW64\Nonlfc32.dll Jnkakl32.exe File opened for modification C:\Windows\SysWOW64\Kkmand32.exe Kfpifm32.exe File opened for modification C:\Windows\SysWOW64\Mdiefffn.exe Mjcaimgg.exe File opened for modification C:\Windows\SysWOW64\Cffljlpc.exe Cmmhaf32.exe File opened for modification C:\Windows\SysWOW64\Lifcib32.exe Lpnopm32.exe File created C:\Windows\SysWOW64\Ajeeeblb.exe Ackmih32.exe File created C:\Windows\SysWOW64\Jgifkl32.dll Obbdml32.exe File created C:\Windows\SysWOW64\Dgknkf32.exe Daaenlng.exe File created C:\Windows\SysWOW64\Elkmmodo.exe Ecbhdi32.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Ihglhp32.exe File created C:\Windows\SysWOW64\Bpifad32.dll Pbgjgomc.exe File opened for modification C:\Windows\SysWOW64\Lahmbo32.exe Lklejh32.exe File opened for modification C:\Windows\SysWOW64\Fhdmph32.exe Fakdcnhh.exe File opened for modification C:\Windows\SysWOW64\Jibnop32.exe Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Jonbee32.exe Jhdihkcj.exe File opened for modification C:\Windows\SysWOW64\Obokcqhk.exe Opqoge32.exe File created C:\Windows\SysWOW64\Hcojam32.exe Hnbaif32.exe File created C:\Windows\SysWOW64\Mgkjgicl.dll Helngnie.exe File opened for modification C:\Windows\SysWOW64\Bdhleh32.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Ibnhnc32.dll Jggoqimd.exe File created C:\Windows\SysWOW64\Lkgngb32.exe Lclicpkm.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Jkpbdq32.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Elkmmodo.exe File created C:\Windows\SysWOW64\Gneijien.exe Fjlmpfhg.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Obmolfok.dll Nledoj32.exe File created C:\Windows\SysWOW64\Gcahoqhf.exe Gjicfk32.exe File created C:\Windows\SysWOW64\Eipbmjcc.dll Dpjbgh32.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gqlhkofn.exe File opened for modification C:\Windows\SysWOW64\Jjkkbjln.exe Jbpfnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1916 1212 WerFault.exe 566 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" Cmfmojcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll" Lclicpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejcohho.dll" Hofngkga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganigoib.dll" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkggmldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeba32.dll" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilfjg32.dll" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epecbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeekmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemln32.dll" Hejmpqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhoice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklfipaq.dll" Jjkkbjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dikogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbonbipa.dll" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclpkjad.dll" Eibgpnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meecopha.dll" Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdgqq32.dll" Ihniaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Kdnkdmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmjbki32.dll" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnjo32.dll" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleeaj32.dll" Bbbgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpcckck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfmbek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glegaime.dll" Egahen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqahnjpk.dll" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" Mjcaimgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2076 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 28 PID 2160 wrote to memory of 2076 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 28 PID 2160 wrote to memory of 2076 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 28 PID 2160 wrote to memory of 2076 2160 1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe 28 PID 2076 wrote to memory of 3068 2076 Beejng32.exe 29 PID 2076 wrote to memory of 3068 2076 Beejng32.exe 29 PID 2076 wrote to memory of 3068 2076 Beejng32.exe 29 PID 2076 wrote to memory of 3068 2076 Beejng32.exe 29 PID 3068 wrote to memory of 2800 3068 Behgcf32.exe 30 PID 3068 wrote to memory of 2800 3068 Behgcf32.exe 30 PID 3068 wrote to memory of 2800 3068 Behgcf32.exe 30 PID 3068 wrote to memory of 2800 3068 Behgcf32.exe 30 PID 2800 wrote to memory of 1860 2800 Bobhal32.exe 31 PID 2800 wrote to memory of 1860 2800 Bobhal32.exe 31 PID 2800 wrote to memory of 1860 2800 Bobhal32.exe 31 PID 2800 wrote to memory of 1860 2800 Bobhal32.exe 31 PID 1860 wrote to memory of 2644 1860 Chkmkacq.exe 32 PID 1860 wrote to memory of 2644 1860 Chkmkacq.exe 32 PID 1860 wrote to memory of 2644 1860 Chkmkacq.exe 32 PID 1860 wrote to memory of 2644 1860 Chkmkacq.exe 32 PID 2644 wrote to memory of 2592 2644 Cbdnko32.exe 33 PID 2644 wrote to memory of 2592 2644 Cbdnko32.exe 33 PID 2644 wrote to memory of 2592 2644 Cbdnko32.exe 33 PID 2644 wrote to memory of 2592 2644 Cbdnko32.exe 33 PID 2592 wrote to memory of 1976 2592 Cgdcgm32.exe 34 PID 2592 wrote to memory of 1976 2592 Cgdcgm32.exe 34 PID 2592 wrote to memory of 1976 2592 Cgdcgm32.exe 34 PID 2592 wrote to memory of 1976 2592 Cgdcgm32.exe 34 PID 1976 wrote to memory of 1504 1976 Cckdlnjg.exe 35 PID 1976 wrote to memory of 1504 1976 Cckdlnjg.exe 35 PID 1976 wrote to memory of 1504 1976 Cckdlnjg.exe 35 PID 1976 wrote to memory of 1504 1976 Cckdlnjg.exe 35 PID 1504 wrote to memory of 2708 1504 Dhkiid32.exe 36 PID 1504 wrote to memory of 2708 1504 Dhkiid32.exe 36 PID 1504 wrote to memory of 2708 1504 Dhkiid32.exe 36 PID 1504 wrote to memory of 2708 1504 Dhkiid32.exe 36 PID 2708 wrote to memory of 832 2708 Dnjngk32.exe 37 PID 2708 wrote to memory of 832 2708 Dnjngk32.exe 37 PID 2708 wrote to memory of 832 2708 Dnjngk32.exe 37 PID 2708 wrote to memory of 832 2708 Dnjngk32.exe 37 PID 832 wrote to memory of 1564 832 Dnlkmkpn.exe 38 PID 832 wrote to memory of 1564 832 Dnlkmkpn.exe 38 PID 832 wrote to memory of 1564 832 Dnlkmkpn.exe 38 PID 832 wrote to memory of 1564 832 Dnlkmkpn.exe 38 PID 1564 wrote to memory of 1108 1564 Ejehgkdp.exe 39 PID 1564 wrote to memory of 1108 1564 Ejehgkdp.exe 39 PID 1564 wrote to memory of 1108 1564 Ejehgkdp.exe 39 PID 1564 wrote to memory of 1108 1564 Ejehgkdp.exe 39 PID 1108 wrote to memory of 1148 1108 Ecpjfq32.exe 40 PID 1108 wrote to memory of 1148 1108 Ecpjfq32.exe 40 PID 1108 wrote to memory of 1148 1108 Ecpjfq32.exe 40 PID 1108 wrote to memory of 1148 1108 Ecpjfq32.exe 40 PID 1148 wrote to memory of 1744 1148 Ehmbng32.exe 41 PID 1148 wrote to memory of 1744 1148 Ehmbng32.exe 41 PID 1148 wrote to memory of 1744 1148 Ehmbng32.exe 41 PID 1148 wrote to memory of 1744 1148 Ehmbng32.exe 41 PID 1744 wrote to memory of 1872 1744 Ebgclm32.exe 42 PID 1744 wrote to memory of 1872 1744 Ebgclm32.exe 42 PID 1744 wrote to memory of 1872 1744 Ebgclm32.exe 42 PID 1744 wrote to memory of 1872 1744 Ebgclm32.exe 42 PID 1872 wrote to memory of 1696 1872 Fbjpblip.exe 43 PID 1872 wrote to memory of 1696 1872 Fbjpblip.exe 43 PID 1872 wrote to memory of 1696 1872 Fbjpblip.exe 43 PID 1872 wrote to memory of 1696 1872 Fbjpblip.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1ce34fc8ef82b9e2f2f2cf08e37518a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe26⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe27⤵
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe37⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe40⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe41⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe42⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe45⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe46⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe47⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe48⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe49⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe50⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe53⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe54⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe55⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe57⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe58⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe59⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe60⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe61⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe63⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe64⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe65⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe66⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe67⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe68⤵PID:2992
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe69⤵PID:2308
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe71⤵PID:3020
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe72⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe73⤵PID:2236
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe74⤵PID:1668
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe75⤵PID:2416
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe76⤵PID:1100
-
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe77⤵PID:2824
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe78⤵PID:2628
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe79⤵PID:2584
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe80⤵PID:2068
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe81⤵PID:556
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe82⤵PID:2720
-
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe83⤵PID:1952
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe84⤵PID:1928
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe85⤵PID:944
-
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe86⤵PID:1576
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe87⤵PID:1332
-
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe88⤵PID:2880
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe89⤵PID:1068
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe90⤵PID:1676
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe91⤵PID:1600
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe92⤵PID:2956
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe93⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe94⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe95⤵PID:1580
-
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe96⤵PID:2564
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe97⤵PID:2816
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe98⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe99⤵PID:2400
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe100⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe101⤵PID:432
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe102⤵PID:1656
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe103⤵PID:2000
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe104⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe105⤵PID:1604
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe106⤵PID:1740
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe107⤵PID:1212
-
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe108⤵PID:280
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe109⤵PID:968
-
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe110⤵PID:2148
-
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe111⤵
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe112⤵PID:1588
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe113⤵PID:2612
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe114⤵PID:2836
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe115⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe117⤵PID:2776
-
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe118⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe119⤵PID:2412
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe120⤵PID:1072
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-