Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 01:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe
-
Size
73KB
-
MD5
2a9b15eb1b06f2ffb2c454c95aef2370
-
SHA1
4e0d13d20fce680b6bc6418db479bb66ee260782
-
SHA256
ba9ce7df7d7449a845eabf7847f8b06d6b54764b670afc94f63e77a63bf8c403
-
SHA512
0ea55a471dfb7ee248e646f0cca9cfdcfe49b1d391b4ff8f071b20fbda204e27c98c063045373ee9ff0a8d81adf56926e537f3c2e85c41b115bb050d037126c9
-
SSDEEP
1536:7H7Wo3I4nboU3JWVavYjaEnZ5YMkhohBM:7Z5bJJWVayznrUAM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagpopmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccngld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipnfged.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoailji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdejaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecmkghcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcijcbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkqkdne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilhldfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfoedl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohibdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbhabjp.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Hoakolod.exe 2772 Hhioga32.exe 2600 Hjkkojlc.exe 2456 Hqddldcp.exe 2632 Hgolhn32.exe 2564 Imkdqe32.exe 1196 Idblbb32.exe 2960 Ifdiijpe.exe 2520 Inkakhpg.exe 1576 Iolmbpfe.exe 1308 Igcecmfg.exe 2804 Iidbke32.exe 1556 Icjfhn32.exe 2924 Ifhbdj32.exe 2052 Iigoqe32.exe 324 Ioagno32.exe 1436 Ibocjk32.exe 2160 Iiikfehq.exe 908 Ibapoj32.exe 448 Jilhldfn.exe 2668 Joepio32.exe 876 Jbdlejmn.exe 1848 Jinead32.exe 1116 Jjoailji.exe 2100 Jaiiff32.exe 3052 Jcgfbb32.exe 2212 Jjanolhg.exe 2544 Jgenhp32.exe 2660 Jjdkdl32.exe 2584 Jpqclb32.exe 2816 Jghknp32.exe 2624 Jiigehkl.exe 2572 Kappfeln.exe 1296 Kbalnnam.exe 1652 Kcahhq32.exe 2412 Kfoedl32.exe 944 Kebepion.exe 2768 Kinaqg32.exe 2784 Kipnfged.exe 2056 Klnjbbdh.exe 2124 Kpjfba32.exe 2060 Kbhbom32.exe 292 Koocdnai.exe 1800 Kanopipl.exe 1504 Kdlkld32.exe 3064 Lhggmchi.exe 980 Lkfciogm.exe 328 Loapim32.exe 2132 Lmdpejfq.exe 2312 Laplei32.exe 1568 Ldnhad32.exe 2532 Lhjdbcef.exe 2592 Lfmdnp32.exe 2484 Lodlom32.exe 2588 Lmgmjjdn.exe 2516 Labhkh32.exe 2088 Ldqegd32.exe 2348 Lhlqhb32.exe 1688 Lgoacojo.exe 2032 Lkkmdn32.exe 2760 Lmiipi32.exe 2844 Ladeqhjd.exe 696 Ldcamcih.exe 1636 Lganiohl.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 2224 Hoakolod.exe 2224 Hoakolod.exe 2772 Hhioga32.exe 2772 Hhioga32.exe 2600 Hjkkojlc.exe 2600 Hjkkojlc.exe 2456 Hqddldcp.exe 2456 Hqddldcp.exe 2632 Hgolhn32.exe 2632 Hgolhn32.exe 2564 Imkdqe32.exe 2564 Imkdqe32.exe 1196 Idblbb32.exe 1196 Idblbb32.exe 2960 Ifdiijpe.exe 2960 Ifdiijpe.exe 2520 Inkakhpg.exe 2520 Inkakhpg.exe 1576 Iolmbpfe.exe 1576 Iolmbpfe.exe 1308 Igcecmfg.exe 1308 Igcecmfg.exe 2804 Iidbke32.exe 2804 Iidbke32.exe 1556 Icjfhn32.exe 1556 Icjfhn32.exe 2924 Ifhbdj32.exe 2924 Ifhbdj32.exe 2052 Iigoqe32.exe 2052 Iigoqe32.exe 324 Ioagno32.exe 324 Ioagno32.exe 1436 Ibocjk32.exe 1436 Ibocjk32.exe 2160 Iiikfehq.exe 2160 Iiikfehq.exe 908 Ibapoj32.exe 908 Ibapoj32.exe 448 Jilhldfn.exe 448 Jilhldfn.exe 2668 Joepio32.exe 2668 Joepio32.exe 876 Jbdlejmn.exe 876 Jbdlejmn.exe 1848 Jinead32.exe 1848 Jinead32.exe 1116 Jjoailji.exe 1116 Jjoailji.exe 2100 Jaiiff32.exe 2100 Jaiiff32.exe 3052 Jcgfbb32.exe 3052 Jcgfbb32.exe 2212 Jjanolhg.exe 2212 Jjanolhg.exe 2544 Jgenhp32.exe 2544 Jgenhp32.exe 2660 Jjdkdl32.exe 2660 Jjdkdl32.exe 2584 Jpqclb32.exe 2584 Jpqclb32.exe 2816 Jghknp32.exe 2816 Jghknp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pefijfii.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Ogfpbeim.exe Oicpfh32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Iqmcpahh.exe Inngcfid.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cohigamf.exe File created C:\Windows\SysWOW64\Bpjiammk.dll Afkbib32.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Anafhopc.exe File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Onphoo32.exe Oomhcbjp.exe File opened for modification C:\Windows\SysWOW64\Nkaocp32.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qagcpljo.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Ahchbf32.exe File opened for modification C:\Windows\SysWOW64\Eijcpoac.exe Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File opened for modification C:\Windows\SysWOW64\Ladeqhjd.exe Lmiipi32.exe File created C:\Windows\SysWOW64\Kkijmm32.exe Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Kjnifgah.dll Hiekid32.exe File created C:\Windows\SysWOW64\Kjmbgl32.dll Npfgpe32.exe File created C:\Windows\SysWOW64\Jmjjea32.exe Jiondcpk.exe File opened for modification C:\Windows\SysWOW64\Nmjblg32.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Dlgldibq.exe Dndlim32.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Mdejaf32.exe Mpjoqhah.exe File created C:\Windows\SysWOW64\Peinaf32.dll Ndgggf32.exe File created C:\Windows\SysWOW64\Fncann32.dll Dhmcfkme.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Ajjcbpdd.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bfcampgf.exe File opened for modification C:\Windows\SysWOW64\Lgoacojo.exe Lhlqhb32.exe File created C:\Windows\SysWOW64\Aplifb32.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Eliele32.dll Mdcnlglc.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Ihdkao32.exe Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File created C:\Windows\SysWOW64\Inlepd32.dll Oqkqkdne.exe File opened for modification C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Maphdl32.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kcfkfo32.exe File created C:\Windows\SysWOW64\Labhkh32.exe Lmgmjjdn.exe File created C:\Windows\SysWOW64\Odjpkihg.exe Onphoo32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File created C:\Windows\SysWOW64\Gkgkbipp.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Jpajnpao.dll Hgbebiao.exe File created C:\Windows\SysWOW64\Lchnnp32.exe Ldenbcge.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Ddeaalpg.exe Dmoipopd.exe File opened for modification C:\Windows\SysWOW64\Joplbl32.exe Jkdpanhg.exe File opened for modification C:\Windows\SysWOW64\Bopicc32.exe Bkdmcdoe.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Adhlaggp.exe File created C:\Windows\SysWOW64\Igkdgk32.exe Icpigm32.exe File opened for modification C:\Windows\SysWOW64\Nplkfgoe.exe Nnnojlpa.exe File created C:\Windows\SysWOW64\Nbipbe32.dll Kfoedl32.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Jilhldfn.exe Ibapoj32.exe File created C:\Windows\SysWOW64\Fogilika.dll Ccngld32.exe File created C:\Windows\SysWOW64\Nkemkhcd.dll Pefijfii.exe File created C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Ecfecaop.dll Nfkpdn32.exe File created C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6680 6620 WerFault.exe 687 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiifgf32.dll" Inkakhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkbib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjkhm32.dll" Ifdiijpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcpkdle.dll" Ibocjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailkjmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alihbgdo.dll" Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcple32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lckdanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajdp32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoia32.dll" Jicgpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Adjigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqopea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laplei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhjdbcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkkmdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bpiipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifclcknc.dll" Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgdhd32.dll" Kipnfged.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alefel32.dll" Kbhbom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piddlm32.dll" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompoljfn.dll" Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlblm32.dll" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbpkign.dll" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldcamcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bloqah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefagn32.dll" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limfed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkbhgojk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2224 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2224 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2224 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 28 PID 2148 wrote to memory of 2224 2148 2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe 28 PID 2224 wrote to memory of 2772 2224 Hoakolod.exe 29 PID 2224 wrote to memory of 2772 2224 Hoakolod.exe 29 PID 2224 wrote to memory of 2772 2224 Hoakolod.exe 29 PID 2224 wrote to memory of 2772 2224 Hoakolod.exe 29 PID 2772 wrote to memory of 2600 2772 Hhioga32.exe 30 PID 2772 wrote to memory of 2600 2772 Hhioga32.exe 30 PID 2772 wrote to memory of 2600 2772 Hhioga32.exe 30 PID 2772 wrote to memory of 2600 2772 Hhioga32.exe 30 PID 2600 wrote to memory of 2456 2600 Hjkkojlc.exe 31 PID 2600 wrote to memory of 2456 2600 Hjkkojlc.exe 31 PID 2600 wrote to memory of 2456 2600 Hjkkojlc.exe 31 PID 2600 wrote to memory of 2456 2600 Hjkkojlc.exe 31 PID 2456 wrote to memory of 2632 2456 Hqddldcp.exe 32 PID 2456 wrote to memory of 2632 2456 Hqddldcp.exe 32 PID 2456 wrote to memory of 2632 2456 Hqddldcp.exe 32 PID 2456 wrote to memory of 2632 2456 Hqddldcp.exe 32 PID 2632 wrote to memory of 2564 2632 Hgolhn32.exe 33 PID 2632 wrote to memory of 2564 2632 Hgolhn32.exe 33 PID 2632 wrote to memory of 2564 2632 Hgolhn32.exe 33 PID 2632 wrote to memory of 2564 2632 Hgolhn32.exe 33 PID 2564 wrote to memory of 1196 2564 Imkdqe32.exe 34 PID 2564 wrote to memory of 1196 2564 Imkdqe32.exe 34 PID 2564 wrote to memory of 1196 2564 Imkdqe32.exe 34 PID 2564 wrote to memory of 1196 2564 Imkdqe32.exe 34 PID 1196 wrote to memory of 2960 1196 Idblbb32.exe 35 PID 1196 wrote to memory of 2960 1196 Idblbb32.exe 35 PID 1196 wrote to memory of 2960 1196 Idblbb32.exe 35 PID 1196 wrote to memory of 2960 1196 Idblbb32.exe 35 PID 2960 wrote to memory of 2520 2960 Ifdiijpe.exe 36 PID 2960 wrote to memory of 2520 2960 Ifdiijpe.exe 36 PID 2960 wrote to memory of 2520 2960 Ifdiijpe.exe 36 PID 2960 wrote to memory of 2520 2960 Ifdiijpe.exe 36 PID 2520 wrote to memory of 1576 2520 Inkakhpg.exe 37 PID 2520 wrote to memory of 1576 2520 Inkakhpg.exe 37 PID 2520 wrote to memory of 1576 2520 Inkakhpg.exe 37 PID 2520 wrote to memory of 1576 2520 Inkakhpg.exe 37 PID 1576 wrote to memory of 1308 1576 Iolmbpfe.exe 38 PID 1576 wrote to memory of 1308 1576 Iolmbpfe.exe 38 PID 1576 wrote to memory of 1308 1576 Iolmbpfe.exe 38 PID 1576 wrote to memory of 1308 1576 Iolmbpfe.exe 38 PID 1308 wrote to memory of 2804 1308 Igcecmfg.exe 39 PID 1308 wrote to memory of 2804 1308 Igcecmfg.exe 39 PID 1308 wrote to memory of 2804 1308 Igcecmfg.exe 39 PID 1308 wrote to memory of 2804 1308 Igcecmfg.exe 39 PID 2804 wrote to memory of 1556 2804 Iidbke32.exe 40 PID 2804 wrote to memory of 1556 2804 Iidbke32.exe 40 PID 2804 wrote to memory of 1556 2804 Iidbke32.exe 40 PID 2804 wrote to memory of 1556 2804 Iidbke32.exe 40 PID 1556 wrote to memory of 2924 1556 Icjfhn32.exe 41 PID 1556 wrote to memory of 2924 1556 Icjfhn32.exe 41 PID 1556 wrote to memory of 2924 1556 Icjfhn32.exe 41 PID 1556 wrote to memory of 2924 1556 Icjfhn32.exe 41 PID 2924 wrote to memory of 2052 2924 Ifhbdj32.exe 42 PID 2924 wrote to memory of 2052 2924 Ifhbdj32.exe 42 PID 2924 wrote to memory of 2052 2924 Ifhbdj32.exe 42 PID 2924 wrote to memory of 2052 2924 Ifhbdj32.exe 42 PID 2052 wrote to memory of 324 2052 Iigoqe32.exe 43 PID 2052 wrote to memory of 324 2052 Iigoqe32.exe 43 PID 2052 wrote to memory of 324 2052 Iigoqe32.exe 43 PID 2052 wrote to memory of 324 2052 Iigoqe32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a9b15eb1b06f2ffb2c454c95aef2370_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Hhioga32.exeC:\Windows\system32\Hhioga32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Ibapoj32.exeC:\Windows\system32\Ibapoj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe33⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe34⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe35⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe36⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe38⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe39⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe41⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe42⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe44⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe45⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe46⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe47⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe49⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe50⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe55⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe58⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe60⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe63⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe68⤵PID:1132
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe69⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe70⤵PID:804
-
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe71⤵PID:1696
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe72⤵PID:2972
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe74⤵PID:2448
-
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe75⤵PID:2188
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe76⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe77⤵PID:1208
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe78⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe79⤵PID:2936
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe80⤵PID:1956
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe81⤵PID:1236
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe82⤵PID:1304
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe83⤵PID:1972
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe84⤵PID:2928
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe85⤵PID:1844
-
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe86⤵PID:848
-
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe88⤵PID:2556
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe90⤵PID:2464
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe91⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe93⤵PID:1264
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe94⤵PID:2764
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe95⤵
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe96⤵PID:2116
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe97⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe98⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe99⤵PID:1060
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe100⤵PID:2976
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe101⤵PID:2044
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe102⤵PID:2336
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe103⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe104⤵PID:2728
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe106⤵PID:952
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe107⤵PID:2688
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe108⤵PID:380
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe109⤵PID:1776
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe110⤵PID:684
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe111⤵PID:1916
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe112⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe113⤵PID:2892
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe114⤵PID:2664
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe116⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe117⤵PID:2672
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe118⤵PID:2968
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe119⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe120⤵PID:1788
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe121⤵
- Drops file in System32 directory
PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-