Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 08:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
6dacfaa0d4b50c93fc51ec572129af00
-
SHA1
cbc82acbe78714d3479cb0c5c6a177c4b5057ed5
-
SHA256
0c5e4d4dc5bd3a6f6e027da10f77826fee8bae6068bf4a060b94440670287a52
-
SHA512
e1349e36f4c25221f17371340e6b4844ae6234427463efacdd1fe522cefc7ed3bb4118802311b65adfb82a2db91d20fda4289f1a376012642d809ab47c8b21c2
-
SSDEEP
24576:Zo3x1T4Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWtec+fwv4cV:Zyx4bazR0vKLXZnec+Yv4cXcy6l6mFno
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqbaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feeiob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmfkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhpfqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkepi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glaoalkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meagci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djklnnaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe -
Executes dropped EXE 64 IoCs
pid Process 2188 Ahakmf32.exe 1216 Aalmklfi.exe 2160 Amejeljk.exe 2636 Bebkpn32.exe 2572 Balijo32.exe 2812 Bjijdadm.exe 2496 Cpeofk32.exe 2824 Cfeddafl.exe 1240 Cdlnkmha.exe 1528 Dflkdp32.exe 1908 Dcfdgiid.exe 2696 Dkmmhf32.exe 1660 Dnlidb32.exe 2680 Dqjepm32.exe 952 Dgdmmgpj.exe 676 Dfgmhd32.exe 612 Dmafennb.exe 1904 Doobajme.exe 2136 Dgfjbgmh.exe 2420 Eqonkmdh.exe 1808 Ebpkce32.exe 1440 Ekholjqg.exe 1132 Ebbgid32.exe 2284 Emhlfmgj.exe 2120 Efppoc32.exe 892 Elmigj32.exe 2132 Eajaoq32.exe 2216 Eloemi32.exe 3024 Ebinic32.exe 2168 Fckjalhj.exe 2708 Flabbihl.exe 2868 Fnpnndgp.exe 2476 Fejgko32.exe 2604 Fhhcgj32.exe 2452 Ffkcbgek.exe 2008 Fnbkddem.exe 1680 Faagpp32.exe 2024 Fdoclk32.exe 2332 Ffnphf32.exe 2304 Fmhheqje.exe 2536 Fdapak32.exe 1692 Ffpmnf32.exe 708 Fioija32.exe 1552 Flmefm32.exe 1084 Fddmgjpo.exe 2044 Feeiob32.exe 2360 Fiaeoang.exe 1700 Globlmmj.exe 1496 Gbijhg32.exe 2596 Ghfbqn32.exe 2576 Glaoalkh.exe 2516 Gbkgnfbd.exe 2800 Gejcjbah.exe 1204 Gieojq32.exe 2016 Gkgkbipp.exe 2248 Gobgcg32.exe 948 Gaqcoc32.exe 1532 Gdopkn32.exe 1628 Gkihhhnm.exe 2128 Goddhg32.exe 2936 Geolea32.exe 1596 Gdamqndn.exe 3048 Ggpimica.exe 816 Gogangdc.exe -
Loads dropped DLL 64 IoCs
pid Process 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 2188 Ahakmf32.exe 2188 Ahakmf32.exe 1216 Aalmklfi.exe 1216 Aalmklfi.exe 2160 Amejeljk.exe 2160 Amejeljk.exe 2636 Bebkpn32.exe 2636 Bebkpn32.exe 2572 Balijo32.exe 2572 Balijo32.exe 2812 Bjijdadm.exe 2812 Bjijdadm.exe 2496 Cpeofk32.exe 2496 Cpeofk32.exe 2824 Cfeddafl.exe 2824 Cfeddafl.exe 1240 Cdlnkmha.exe 1240 Cdlnkmha.exe 1528 Dflkdp32.exe 1528 Dflkdp32.exe 1908 Dcfdgiid.exe 1908 Dcfdgiid.exe 2696 Dkmmhf32.exe 2696 Dkmmhf32.exe 1660 Dnlidb32.exe 1660 Dnlidb32.exe 2680 Dqjepm32.exe 2680 Dqjepm32.exe 952 Dgdmmgpj.exe 952 Dgdmmgpj.exe 676 Dfgmhd32.exe 676 Dfgmhd32.exe 612 Dmafennb.exe 612 Dmafennb.exe 1904 Doobajme.exe 1904 Doobajme.exe 2136 Dgfjbgmh.exe 2136 Dgfjbgmh.exe 2420 Eqonkmdh.exe 2420 Eqonkmdh.exe 1808 Ebpkce32.exe 1808 Ebpkce32.exe 1440 Ekholjqg.exe 1440 Ekholjqg.exe 1132 Ebbgid32.exe 1132 Ebbgid32.exe 2284 Emhlfmgj.exe 2284 Emhlfmgj.exe 2120 Efppoc32.exe 2120 Efppoc32.exe 892 Elmigj32.exe 892 Elmigj32.exe 2132 Eajaoq32.exe 2132 Eajaoq32.exe 2216 Eloemi32.exe 2216 Eloemi32.exe 3024 Ebinic32.exe 3024 Ebinic32.exe 2168 Fckjalhj.exe 2168 Fckjalhj.exe 2708 Flabbihl.exe 2708 Flabbihl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkgmgmfd.exe Kihqkagp.exe File created C:\Windows\SysWOW64\Heldepab.dll Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Emieil32.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Ahakmf32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cojema32.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Ndbcpd32.exe File opened for modification C:\Windows\SysWOW64\Echfaf32.exe Eqijej32.exe File created C:\Windows\SysWOW64\Nefpnhlc.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Nefpnhlc.exe Nolhan32.exe File created C:\Windows\SysWOW64\Cmeidehe.dll Nocnbmoo.exe File created C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File opened for modification C:\Windows\SysWOW64\Eqgnokip.exe Enhacojl.exe File created C:\Windows\SysWOW64\Echfaf32.exe Eqijej32.exe File created C:\Windows\SysWOW64\Flabbihl.exe Fckjalhj.exe File created C:\Windows\SysWOW64\Hjhhocjj.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Pnomcl32.exe Pkpagq32.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Dglhipbb.dll Kbqecg32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Henidd32.exe File created C:\Windows\SysWOW64\Kndcpj32.dll Piphee32.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Dgdmmgpj.exe File opened for modification C:\Windows\SysWOW64\Henidd32.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kfegbj32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Papfegmk.exe File created C:\Windows\SysWOW64\Pacmbbii.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Icmlam32.exe Iblpjdpk.exe File created C:\Windows\SysWOW64\Bhkdeggl.exe Bemgilhh.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Lafndg32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Jbnhng32.exe File opened for modification C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Hgbebiao.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Klaoplan.dll Jbllihbf.exe File created C:\Windows\SysWOW64\Fqmmidel.dll Mggpgmof.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Endhhp32.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Kafbec32.exe Kjljhjkl.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Hgbebiao.exe File created C:\Windows\SysWOW64\Oonafa32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Cdlnkmha.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Kncphpjl.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Lgahch32.dll Fnbkddem.exe File created C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Kmaled32.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Ifjeknjd.dll Abjebn32.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Eqbddk32.exe File created C:\Windows\SysWOW64\Khknah32.dll Effcma32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Efppoc32.exe File created C:\Windows\SysWOW64\Kahojc32.exe Kjnfniii.exe File created C:\Windows\SysWOW64\Geolea32.exe Goddhg32.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Ndkmpe32.exe File created C:\Windows\SysWOW64\Nejiih32.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Ccnnibig.dll Albjlcao.exe File created C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe -
Program crash 1 IoCs
pid pid_target Process 5260 5236 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfhengk.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Njlockkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhde32.dll" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneqdoee.dll" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnlkbne.dll" Lbeknj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhqkpcf.dll" Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapiomln.dll" Jgnamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpbefoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dflkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jonplmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfgdhjmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egahmk32.dll" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll" Bbokmqie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqdipqbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2188 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 28 PID 3060 wrote to memory of 2188 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 28 PID 3060 wrote to memory of 2188 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 28 PID 3060 wrote to memory of 2188 3060 6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 1216 2188 Ahakmf32.exe 29 PID 2188 wrote to memory of 1216 2188 Ahakmf32.exe 29 PID 2188 wrote to memory of 1216 2188 Ahakmf32.exe 29 PID 2188 wrote to memory of 1216 2188 Ahakmf32.exe 29 PID 1216 wrote to memory of 2160 1216 Aalmklfi.exe 30 PID 1216 wrote to memory of 2160 1216 Aalmklfi.exe 30 PID 1216 wrote to memory of 2160 1216 Aalmklfi.exe 30 PID 1216 wrote to memory of 2160 1216 Aalmklfi.exe 30 PID 2160 wrote to memory of 2636 2160 Amejeljk.exe 31 PID 2160 wrote to memory of 2636 2160 Amejeljk.exe 31 PID 2160 wrote to memory of 2636 2160 Amejeljk.exe 31 PID 2160 wrote to memory of 2636 2160 Amejeljk.exe 31 PID 2636 wrote to memory of 2572 2636 Bebkpn32.exe 32 PID 2636 wrote to memory of 2572 2636 Bebkpn32.exe 32 PID 2636 wrote to memory of 2572 2636 Bebkpn32.exe 32 PID 2636 wrote to memory of 2572 2636 Bebkpn32.exe 32 PID 2572 wrote to memory of 2812 2572 Balijo32.exe 33 PID 2572 wrote to memory of 2812 2572 Balijo32.exe 33 PID 2572 wrote to memory of 2812 2572 Balijo32.exe 33 PID 2572 wrote to memory of 2812 2572 Balijo32.exe 33 PID 2812 wrote to memory of 2496 2812 Bjijdadm.exe 34 PID 2812 wrote to memory of 2496 2812 Bjijdadm.exe 34 PID 2812 wrote to memory of 2496 2812 Bjijdadm.exe 34 PID 2812 wrote to memory of 2496 2812 Bjijdadm.exe 34 PID 2496 wrote to memory of 2824 2496 Cpeofk32.exe 35 PID 2496 wrote to memory of 2824 2496 Cpeofk32.exe 35 PID 2496 wrote to memory of 2824 2496 Cpeofk32.exe 35 PID 2496 wrote to memory of 2824 2496 Cpeofk32.exe 35 PID 2824 wrote to memory of 1240 2824 Cfeddafl.exe 36 PID 2824 wrote to memory of 1240 2824 Cfeddafl.exe 36 PID 2824 wrote to memory of 1240 2824 Cfeddafl.exe 36 PID 2824 wrote to memory of 1240 2824 Cfeddafl.exe 36 PID 1240 wrote to memory of 1528 1240 Cdlnkmha.exe 37 PID 1240 wrote to memory of 1528 1240 Cdlnkmha.exe 37 PID 1240 wrote to memory of 1528 1240 Cdlnkmha.exe 37 PID 1240 wrote to memory of 1528 1240 Cdlnkmha.exe 37 PID 1528 wrote to memory of 1908 1528 Dflkdp32.exe 38 PID 1528 wrote to memory of 1908 1528 Dflkdp32.exe 38 PID 1528 wrote to memory of 1908 1528 Dflkdp32.exe 38 PID 1528 wrote to memory of 1908 1528 Dflkdp32.exe 38 PID 1908 wrote to memory of 2696 1908 Dcfdgiid.exe 39 PID 1908 wrote to memory of 2696 1908 Dcfdgiid.exe 39 PID 1908 wrote to memory of 2696 1908 Dcfdgiid.exe 39 PID 1908 wrote to memory of 2696 1908 Dcfdgiid.exe 39 PID 2696 wrote to memory of 1660 2696 Dkmmhf32.exe 40 PID 2696 wrote to memory of 1660 2696 Dkmmhf32.exe 40 PID 2696 wrote to memory of 1660 2696 Dkmmhf32.exe 40 PID 2696 wrote to memory of 1660 2696 Dkmmhf32.exe 40 PID 1660 wrote to memory of 2680 1660 Dnlidb32.exe 41 PID 1660 wrote to memory of 2680 1660 Dnlidb32.exe 41 PID 1660 wrote to memory of 2680 1660 Dnlidb32.exe 41 PID 1660 wrote to memory of 2680 1660 Dnlidb32.exe 41 PID 2680 wrote to memory of 952 2680 Dqjepm32.exe 42 PID 2680 wrote to memory of 952 2680 Dqjepm32.exe 42 PID 2680 wrote to memory of 952 2680 Dqjepm32.exe 42 PID 2680 wrote to memory of 952 2680 Dqjepm32.exe 42 PID 952 wrote to memory of 676 952 Dgdmmgpj.exe 43 PID 952 wrote to memory of 676 952 Dgdmmgpj.exe 43 PID 952 wrote to memory of 676 952 Dgdmmgpj.exe 43 PID 952 wrote to memory of 676 952 Dgdmmgpj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6dacfaa0d4b50c93fc51ec572129af00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe34⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe36⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe39⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe41⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe42⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe44⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe46⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe48⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe49⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe53⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe54⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe58⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe59⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe62⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe64⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe65⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe66⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe68⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe69⤵PID:1064
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe70⤵PID:536
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe71⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe72⤵PID:864
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe73⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe75⤵PID:2700
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe76⤵PID:2988
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe77⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe78⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe80⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe81⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe82⤵PID:2404
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe83⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe84⤵PID:2864
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe85⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe86⤵PID:3000
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe87⤵PID:2684
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe88⤵PID:1872
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe89⤵PID:2328
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe90⤵PID:1924
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe91⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe92⤵PID:2744
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe93⤵PID:3032
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe95⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe96⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe98⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe99⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe101⤵PID:2548
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe102⤵PID:1060
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe103⤵PID:616
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe105⤵PID:748
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe106⤵PID:2500
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe108⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe109⤵PID:376
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe110⤵PID:2456
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe111⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe113⤵PID:3076
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe114⤵
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe115⤵PID:3184
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:3236 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe117⤵PID:3284
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3332 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe119⤵
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe120⤵PID:3448
-
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe121⤵PID:3504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-