Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 06:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe
-
Size
145KB
-
MD5
5b1c0fbba05ea247b9d2137c0f422c80
-
SHA1
46b446bbbd8f3459a3a8360ca500491d855631e2
-
SHA256
72bb4a30c8859dd6aee4d6dd22f8ebb911f6886e70027b720724247f0473c823
-
SHA512
1c1e54122059b52ff11155861e6e03719fd242c5900ca206a70a36b80a31e6dbd43eb618739b9f586cc51ddb844e2cb23f049dea66b1a635a6e146060c45714d
-
SSDEEP
3072:u6LRZS5u9bLl64p1+qD3pFBEV52Ae5aFnVB:hLRZSE5l64p1+c5Id
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magqncba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikddbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebbnpfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgpjanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meijhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hknach32.exe -
Executes dropped EXE 64 IoCs
pid Process 2192 Gbkgnfbd.exe 2568 Gldkfl32.exe 2660 Gkgkbipp.exe 2576 Gacpdbej.exe 2632 Ghmiam32.exe 2492 Ghoegl32.exe 2248 Hknach32.exe 2780 Hpkjko32.exe 2980 Hnojdcfi.exe 2448 Hejoiedd.exe 892 Hlcgeo32.exe 1756 Hcnpbi32.exe 1488 Hpapln32.exe 1536 Hjjddchg.exe 1156 Ieqeidnl.exe 2292 Iknnbklc.exe 620 Iokfhi32.exe 416 Iajcde32.exe 1712 Iggkllpe.exe 1556 Ikddbj32.exe 1628 Imfqjbli.exe 1624 Jqdipqbp.exe 2180 Jcbellac.exe 1760 Jfqahgpg.exe 1948 Jjojofgn.exe 1308 Jonplmcb.exe 1612 Jnqphi32.exe 3052 Kihqkagp.exe 2600 Kkgmgmfd.exe 2864 Kkijmm32.exe 2596 Kngfih32.exe 2624 Kgpjanje.exe 2532 Kpkofpgq.exe 1804 Kgbggnhc.exe 2640 Kblhgk32.exe 2928 Kjcpii32.exe 1732 Lpphap32.exe 388 Lfjqnjkh.exe 1720 Lmcijcbe.exe 1560 Lbqabkql.exe 1640 Lhmjkaoc.exe 2316 Lojomkdn.exe 2344 Lbeknj32.exe 2880 Lollckbk.exe 1564 Ldidkbpb.exe 1132 Mmahdggc.exe 1648 Mdkqqa32.exe 1404 Mdmmfa32.exe 1240 Mbpnanch.exe 2172 Mmfbogcn.exe 2372 Mcbjgn32.exe 1740 Meagci32.exe 2000 Mlkopcge.exe 2836 Moiklogi.exe 2552 Miooigfo.exe 2080 Mpigfa32.exe 2736 Ncgdbmmp.exe 2464 Nialog32.exe 2240 Nlphkb32.exe 2712 Ncjqhmkm.exe 2996 Nhfipcid.exe 2348 Noqamn32.exe 848 Nejiih32.exe 2688 Nhiffc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 2192 Gbkgnfbd.exe 2192 Gbkgnfbd.exe 2568 Gldkfl32.exe 2568 Gldkfl32.exe 2660 Gkgkbipp.exe 2660 Gkgkbipp.exe 2576 Gacpdbej.exe 2576 Gacpdbej.exe 2632 Ghmiam32.exe 2632 Ghmiam32.exe 2492 Ghoegl32.exe 2492 Ghoegl32.exe 2248 Hknach32.exe 2248 Hknach32.exe 2780 Hpkjko32.exe 2780 Hpkjko32.exe 2980 Hnojdcfi.exe 2980 Hnojdcfi.exe 2448 Hejoiedd.exe 2448 Hejoiedd.exe 892 Hlcgeo32.exe 892 Hlcgeo32.exe 1756 Hcnpbi32.exe 1756 Hcnpbi32.exe 1488 Hpapln32.exe 1488 Hpapln32.exe 1536 Hjjddchg.exe 1536 Hjjddchg.exe 1156 Ieqeidnl.exe 1156 Ieqeidnl.exe 2292 Iknnbklc.exe 2292 Iknnbklc.exe 620 Iokfhi32.exe 620 Iokfhi32.exe 416 Iajcde32.exe 416 Iajcde32.exe 1712 Iggkllpe.exe 1712 Iggkllpe.exe 1556 Ikddbj32.exe 1556 Ikddbj32.exe 1628 Imfqjbli.exe 1628 Imfqjbli.exe 1624 Jqdipqbp.exe 1624 Jqdipqbp.exe 2180 Jcbellac.exe 2180 Jcbellac.exe 1760 Jfqahgpg.exe 1760 Jfqahgpg.exe 1948 Jjojofgn.exe 1948 Jjojofgn.exe 1308 Jonplmcb.exe 1308 Jonplmcb.exe 1612 Jnqphi32.exe 1612 Jnqphi32.exe 3052 Kihqkagp.exe 3052 Kihqkagp.exe 2600 Kkgmgmfd.exe 2600 Kkgmgmfd.exe 2864 Kkijmm32.exe 2864 Kkijmm32.exe 2596 Kngfih32.exe 2596 Kngfih32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mbkmlh32.exe Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mkhofjoj.exe File created C:\Windows\SysWOW64\Elonamqm.dll Mkmhaj32.exe File created C:\Windows\SysWOW64\Phccmbca.dll Amhpnkch.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dccagcgk.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Bohnbn32.dll Knmhgf32.exe File created C:\Windows\SysWOW64\Mmdcie32.dll Lmebnb32.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ogeigofa.exe File created C:\Windows\SysWOW64\Gohjaf32.exe Gljnej32.exe File created C:\Windows\SysWOW64\Lmikibio.exe Ljkomfjl.exe File created C:\Windows\SysWOW64\Nhkbkc32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Flehkhai.exe Fmbhok32.exe File created C:\Windows\SysWOW64\Lnlmhpjh.dll Migbnb32.exe File created C:\Windows\SysWOW64\Mencccop.exe Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Egjpkffe.exe Ehgppi32.exe File created C:\Windows\SysWOW64\Qbpbjelg.dll Gljnej32.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mencccop.exe File opened for modification C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Imfqjbli.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File opened for modification C:\Windows\SysWOW64\Mcbjgn32.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Igdaoinc.dll Aekodi32.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Cfgcja32.dll Ffhpbacb.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Mdacop32.exe Mencccop.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Gldkfl32.exe File created C:\Windows\SysWOW64\Hdnaeh32.dll Jnqphi32.exe File created C:\Windows\SysWOW64\Mpigfa32.exe Miooigfo.exe File created C:\Windows\SysWOW64\Piphee32.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Ohkgmi32.dll Mbpnanch.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Cojema32.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Dnoomqbg.exe Dolnad32.exe File created C:\Windows\SysWOW64\Mcblodlj.dll Jkoplhip.exe File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nlcnda32.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Ldidkbpb.exe File opened for modification C:\Windows\SysWOW64\Pjhknm32.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Dpiddoma.dll Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Cclkfdnc.exe Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Mdacop32.exe Mencccop.exe File created C:\Windows\SysWOW64\Gbcfadgl.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Jqnejn32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kicmdo32.exe File opened for modification C:\Windows\SysWOW64\Lollckbk.exe Lbeknj32.exe File created C:\Windows\SysWOW64\Flojhn32.dll Ceodnl32.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hoopae32.exe File created C:\Windows\SysWOW64\Biamilfj.exe Bfcampgf.exe File opened for modification C:\Windows\SysWOW64\Bppoqeja.exe Bldcpf32.exe File created C:\Windows\SysWOW64\Affcmdmb.dll Ebjglbml.exe File created C:\Windows\SysWOW64\Fagjnn32.exe Fjmaaddo.exe File created C:\Windows\SysWOW64\Hlngpjlj.exe Hedocp32.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Jabbhcfe.exe File opened for modification C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Oonafa32.exe File created C:\Windows\SysWOW64\Keefji32.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Lfmnmlid.dll Chpmpg32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cnmehnan.exe File created C:\Windows\SysWOW64\Bmdcpnkh.dll Fcefji32.exe File opened for modification C:\Windows\SysWOW64\Mkmhaj32.exe Mholen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4420 4396 WerFault.exe 355 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinhacjp.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Meppiblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmianb32.dll" Gjfdhbld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dccagcgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbhok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkhnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqqboncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagbb32.dll" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmjak32.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfahajeg.dll" Ikddbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmebnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjkaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giieco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchnel32.dll" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaleqmc.dll" Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjifqd32.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibijie32.dll" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmamaoln.dll" Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiemmk32.dll" Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migbnb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2192 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2192 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2192 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2192 2208 5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2568 2192 Gbkgnfbd.exe 29 PID 2192 wrote to memory of 2568 2192 Gbkgnfbd.exe 29 PID 2192 wrote to memory of 2568 2192 Gbkgnfbd.exe 29 PID 2192 wrote to memory of 2568 2192 Gbkgnfbd.exe 29 PID 2568 wrote to memory of 2660 2568 Gldkfl32.exe 30 PID 2568 wrote to memory of 2660 2568 Gldkfl32.exe 30 PID 2568 wrote to memory of 2660 2568 Gldkfl32.exe 30 PID 2568 wrote to memory of 2660 2568 Gldkfl32.exe 30 PID 2660 wrote to memory of 2576 2660 Gkgkbipp.exe 31 PID 2660 wrote to memory of 2576 2660 Gkgkbipp.exe 31 PID 2660 wrote to memory of 2576 2660 Gkgkbipp.exe 31 PID 2660 wrote to memory of 2576 2660 Gkgkbipp.exe 31 PID 2576 wrote to memory of 2632 2576 Gacpdbej.exe 32 PID 2576 wrote to memory of 2632 2576 Gacpdbej.exe 32 PID 2576 wrote to memory of 2632 2576 Gacpdbej.exe 32 PID 2576 wrote to memory of 2632 2576 Gacpdbej.exe 32 PID 2632 wrote to memory of 2492 2632 Ghmiam32.exe 33 PID 2632 wrote to memory of 2492 2632 Ghmiam32.exe 33 PID 2632 wrote to memory of 2492 2632 Ghmiam32.exe 33 PID 2632 wrote to memory of 2492 2632 Ghmiam32.exe 33 PID 2492 wrote to memory of 2248 2492 Ghoegl32.exe 34 PID 2492 wrote to memory of 2248 2492 Ghoegl32.exe 34 PID 2492 wrote to memory of 2248 2492 Ghoegl32.exe 34 PID 2492 wrote to memory of 2248 2492 Ghoegl32.exe 34 PID 2248 wrote to memory of 2780 2248 Hknach32.exe 35 PID 2248 wrote to memory of 2780 2248 Hknach32.exe 35 PID 2248 wrote to memory of 2780 2248 Hknach32.exe 35 PID 2248 wrote to memory of 2780 2248 Hknach32.exe 35 PID 2780 wrote to memory of 2980 2780 Hpkjko32.exe 36 PID 2780 wrote to memory of 2980 2780 Hpkjko32.exe 36 PID 2780 wrote to memory of 2980 2780 Hpkjko32.exe 36 PID 2780 wrote to memory of 2980 2780 Hpkjko32.exe 36 PID 2980 wrote to memory of 2448 2980 Hnojdcfi.exe 37 PID 2980 wrote to memory of 2448 2980 Hnojdcfi.exe 37 PID 2980 wrote to memory of 2448 2980 Hnojdcfi.exe 37 PID 2980 wrote to memory of 2448 2980 Hnojdcfi.exe 37 PID 2448 wrote to memory of 892 2448 Hejoiedd.exe 38 PID 2448 wrote to memory of 892 2448 Hejoiedd.exe 38 PID 2448 wrote to memory of 892 2448 Hejoiedd.exe 38 PID 2448 wrote to memory of 892 2448 Hejoiedd.exe 38 PID 892 wrote to memory of 1756 892 Hlcgeo32.exe 39 PID 892 wrote to memory of 1756 892 Hlcgeo32.exe 39 PID 892 wrote to memory of 1756 892 Hlcgeo32.exe 39 PID 892 wrote to memory of 1756 892 Hlcgeo32.exe 39 PID 1756 wrote to memory of 1488 1756 Hcnpbi32.exe 40 PID 1756 wrote to memory of 1488 1756 Hcnpbi32.exe 40 PID 1756 wrote to memory of 1488 1756 Hcnpbi32.exe 40 PID 1756 wrote to memory of 1488 1756 Hcnpbi32.exe 40 PID 1488 wrote to memory of 1536 1488 Hpapln32.exe 41 PID 1488 wrote to memory of 1536 1488 Hpapln32.exe 41 PID 1488 wrote to memory of 1536 1488 Hpapln32.exe 41 PID 1488 wrote to memory of 1536 1488 Hpapln32.exe 41 PID 1536 wrote to memory of 1156 1536 Hjjddchg.exe 42 PID 1536 wrote to memory of 1156 1536 Hjjddchg.exe 42 PID 1536 wrote to memory of 1156 1536 Hjjddchg.exe 42 PID 1536 wrote to memory of 1156 1536 Hjjddchg.exe 42 PID 1156 wrote to memory of 2292 1156 Ieqeidnl.exe 43 PID 1156 wrote to memory of 2292 1156 Ieqeidnl.exe 43 PID 1156 wrote to memory of 2292 1156 Ieqeidnl.exe 43 PID 1156 wrote to memory of 2292 1156 Ieqeidnl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5b1c0fbba05ea247b9d2137c0f422c80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:416 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe34⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe35⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Kblhgk32.exeC:\Windows\system32\Kblhgk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe37⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe38⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe39⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe40⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe41⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe45⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe47⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe52⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe53⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe54⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe55⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe57⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe60⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe61⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe62⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe63⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe64⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe65⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe66⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe67⤵PID:1652
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe68⤵PID:856
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe69⤵PID:1444
-
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1256 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe71⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe73⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe74⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe75⤵PID:1272
-
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe76⤵PID:1360
-
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe77⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe78⤵PID:1588
-
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe79⤵PID:3048
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe80⤵PID:2468
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe81⤵PID:2732
-
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe83⤵PID:1932
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe84⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe85⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe86⤵PID:2704
-
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe87⤵
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe88⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe89⤵PID:852
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe90⤵PID:1524
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe93⤵PID:1736
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe95⤵PID:2776
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe96⤵PID:2516
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe99⤵PID:2004
-
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe100⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe102⤵PID:3068
-
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe104⤵PID:2784
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe105⤵PID:2264
-
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe106⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe107⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe108⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe109⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe112⤵PID:2988
-
C:\Windows\SysWOW64\Adpkee32.exeC:\Windows\system32\Adpkee32.exe113⤵PID:1984
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe114⤵PID:1960
-
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe115⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe117⤵PID:2528
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe119⤵PID:2876
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-