Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 22:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe
-
Size
64KB
-
MD5
e63e0004c2a4df7d2ae74f3a0dd57090
-
SHA1
a318a5f6dd49fc7b87b7821de5f20c4204b92089
-
SHA256
117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172
-
SHA512
59fa77861f87125720dc0f1ce0c6a97d7f77d2da52188e73a19c91a50c970b8280cf919bfa65e414d51fa45aee3804464e7ad888a3af0544fe26f38ba4e55409
-
SSDEEP
1536:OzhyKZFlOauJvJ3u/12M3w9EHg60UYoxXUwXfzwv:GsmsK/I+Hj0DolPzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqphi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naoniipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmgcohn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpigfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe -
Executes dropped EXE 64 IoCs
pid Process 1708 Pbpjiphi.exe 2764 Pijbfj32.exe 2540 Qnfjna32.exe 2792 Qaefjm32.exe 2928 Qdccfh32.exe 2316 Qljkhe32.exe 2464 Qmlgonbe.exe 2996 Qecoqk32.exe 320 Ahakmf32.exe 1732 Ankdiqih.exe 1200 Aplpai32.exe 1608 Ahchbf32.exe 2420 Ajbdna32.exe 2076 Ampqjm32.exe 308 Adjigg32.exe 2036 Abmibdlh.exe 1472 Ajdadamj.exe 1360 Ambmpmln.exe 1860 Admemg32.exe 2904 Abpfhcje.exe 688 Aiinen32.exe 1776 Amejeljk.exe 1952 Aoffmd32.exe 1048 Afmonbqk.exe 2056 Aepojo32.exe 2040 Ailkjmpo.exe 3000 Bbdocc32.exe 2252 Bagpopmj.exe 2588 Bhahlj32.exe 2676 Bkodhe32.exe 2592 Beehencq.exe 2484 Bloqah32.exe 2508 Bnpmipql.exe 3060 Begeknan.exe 1840 Bghabf32.exe 1616 Bkdmcdoe.exe 1784 Banepo32.exe 2492 Bdlblj32.exe 2172 Bkfjhd32.exe 1424 Bnefdp32.exe 1828 Baqbenep.exe 2264 Cgmkmecg.exe 908 Cngcjo32.exe 1496 Cpeofk32.exe 840 Cdakgibq.exe 2412 Ccdlbf32.exe 1540 Cjndop32.exe 1756 Cphlljge.exe 2336 Ccfhhffh.exe 2008 Cgbdhd32.exe 2312 Cjpqdp32.exe 2016 Clomqk32.exe 2584 Cpjiajeb.exe 2136 Cciemedf.exe 1816 Cbkeib32.exe 2480 Cfgaiaci.exe 1800 Cjbmjplb.exe 944 Chemfl32.exe 328 Claifkkf.exe 1628 Copfbfjj.exe 2244 Cckace32.exe 2756 Cckace32.exe 2132 Cbnbobin.exe 540 Cdlnkmha.exe -
Loads dropped DLL 64 IoCs
pid Process 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 1708 Pbpjiphi.exe 1708 Pbpjiphi.exe 2764 Pijbfj32.exe 2764 Pijbfj32.exe 2540 Qnfjna32.exe 2540 Qnfjna32.exe 2792 Qaefjm32.exe 2792 Qaefjm32.exe 2928 Qdccfh32.exe 2928 Qdccfh32.exe 2316 Qljkhe32.exe 2316 Qljkhe32.exe 2464 Qmlgonbe.exe 2464 Qmlgonbe.exe 2996 Qecoqk32.exe 2996 Qecoqk32.exe 320 Ahakmf32.exe 320 Ahakmf32.exe 1732 Ankdiqih.exe 1732 Ankdiqih.exe 1200 Aplpai32.exe 1200 Aplpai32.exe 1608 Ahchbf32.exe 1608 Ahchbf32.exe 2420 Ajbdna32.exe 2420 Ajbdna32.exe 2076 Ampqjm32.exe 2076 Ampqjm32.exe 308 Adjigg32.exe 308 Adjigg32.exe 2036 Abmibdlh.exe 2036 Abmibdlh.exe 1472 Ajdadamj.exe 1472 Ajdadamj.exe 1360 Ambmpmln.exe 1360 Ambmpmln.exe 1860 Admemg32.exe 1860 Admemg32.exe 2904 Abpfhcje.exe 2904 Abpfhcje.exe 688 Aiinen32.exe 688 Aiinen32.exe 1776 Amejeljk.exe 1776 Amejeljk.exe 1952 Aoffmd32.exe 1952 Aoffmd32.exe 1048 Afmonbqk.exe 1048 Afmonbqk.exe 2056 Aepojo32.exe 2056 Aepojo32.exe 2040 Ailkjmpo.exe 2040 Ailkjmpo.exe 3000 Bbdocc32.exe 3000 Bbdocc32.exe 2252 Bagpopmj.exe 2252 Bagpopmj.exe 2588 Bhahlj32.exe 2588 Bhahlj32.exe 2676 Bkodhe32.exe 2676 Bkodhe32.exe 2592 Beehencq.exe 2592 Beehencq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpjiajeb.exe Clomqk32.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jgidao32.exe File created C:\Windows\SysWOW64\Ndmjedoi.exe Nejiih32.exe File created C:\Windows\SysWOW64\Bpleef32.exe Bmmiij32.exe File created C:\Windows\SysWOW64\Giaekk32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Ckjpacfp.exe File created C:\Windows\SysWOW64\Nglfapnl.exe Nhiffc32.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oclilp32.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qdccfh32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cfgaiaci.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Aplpai32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File opened for modification C:\Windows\SysWOW64\Kaceodek.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kcbakpdo.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lckdanld.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Cadhnmnm.exe File created C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Ddcdkl32.exe Dqhhknjp.exe File created C:\Windows\SysWOW64\Jooclokl.dll Kmmcjehm.exe File opened for modification C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Kmopod32.exe Kjqccigf.exe File created C:\Windows\SysWOW64\Lbqabkql.exe Lpbefoai.exe File created C:\Windows\SysWOW64\Lhnffb32.dll Pkndaa32.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pmdjdh32.exe File created C:\Windows\SysWOW64\Joliff32.dll Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Nefpnhlc.exe File created C:\Windows\SysWOW64\Fpgiom32.dll Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Cnmehnan.exe Cojema32.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Adjigg32.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hgilchkf.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qcbllb32.exe File opened for modification C:\Windows\SysWOW64\Amhpnkch.exe Aoepcn32.exe File created C:\Windows\SysWOW64\Iklgpmjo.dll Cgmkmecg.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fmekoalh.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bfcampgf.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Obafnlpn.exe Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Baqbenep.exe Bnefdp32.exe File opened for modification C:\Windows\SysWOW64\Kkgmgmfd.exe Kihqkagp.exe File opened for modification C:\Windows\SysWOW64\Cnkicn32.exe Cohigamf.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Ceaadk32.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File created C:\Windows\SysWOW64\Doobajme.exe Dmafennb.exe File opened for modification C:\Windows\SysWOW64\Eflgccbp.exe Epaogi32.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Ekholjqg.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kkijmm32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mmhodf32.exe File opened for modification C:\Windows\SysWOW64\Oclilp32.exe Oopnlacm.exe File created C:\Windows\SysWOW64\Cjndop32.exe Ccdlbf32.exe File opened for modification C:\Windows\SysWOW64\Dgfjbgmh.exe Doobajme.exe File opened for modification C:\Windows\SysWOW64\Bmmiij32.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Qecoqk32.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe Ggpimica.exe File created C:\Windows\SysWOW64\Copeil32.dll Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Dlgldibq.exe Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dlgldibq.exe File created C:\Windows\SysWOW64\Gdopkn32.exe Gelppaof.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6288 6264 WerFault.exe 595 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djklnnaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfkke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnhbg32.dll" Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbikjlnd.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Ekhhadmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojolhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbcpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Djhphncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfklng.dll" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqmmidel.dll" Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll" Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abjebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpigfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claifkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcmap32.dll" Lliflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfccn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplkpgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flojhn32.dll" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjqccigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikddbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1708 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1708 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1708 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1708 1848 117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 2764 1708 Pbpjiphi.exe 29 PID 1708 wrote to memory of 2764 1708 Pbpjiphi.exe 29 PID 1708 wrote to memory of 2764 1708 Pbpjiphi.exe 29 PID 1708 wrote to memory of 2764 1708 Pbpjiphi.exe 29 PID 2764 wrote to memory of 2540 2764 Pijbfj32.exe 30 PID 2764 wrote to memory of 2540 2764 Pijbfj32.exe 30 PID 2764 wrote to memory of 2540 2764 Pijbfj32.exe 30 PID 2764 wrote to memory of 2540 2764 Pijbfj32.exe 30 PID 2540 wrote to memory of 2792 2540 Qnfjna32.exe 31 PID 2540 wrote to memory of 2792 2540 Qnfjna32.exe 31 PID 2540 wrote to memory of 2792 2540 Qnfjna32.exe 31 PID 2540 wrote to memory of 2792 2540 Qnfjna32.exe 31 PID 2792 wrote to memory of 2928 2792 Qaefjm32.exe 32 PID 2792 wrote to memory of 2928 2792 Qaefjm32.exe 32 PID 2792 wrote to memory of 2928 2792 Qaefjm32.exe 32 PID 2792 wrote to memory of 2928 2792 Qaefjm32.exe 32 PID 2928 wrote to memory of 2316 2928 Qdccfh32.exe 33 PID 2928 wrote to memory of 2316 2928 Qdccfh32.exe 33 PID 2928 wrote to memory of 2316 2928 Qdccfh32.exe 33 PID 2928 wrote to memory of 2316 2928 Qdccfh32.exe 33 PID 2316 wrote to memory of 2464 2316 Qljkhe32.exe 34 PID 2316 wrote to memory of 2464 2316 Qljkhe32.exe 34 PID 2316 wrote to memory of 2464 2316 Qljkhe32.exe 34 PID 2316 wrote to memory of 2464 2316 Qljkhe32.exe 34 PID 2464 wrote to memory of 2996 2464 Qmlgonbe.exe 35 PID 2464 wrote to memory of 2996 2464 Qmlgonbe.exe 35 PID 2464 wrote to memory of 2996 2464 Qmlgonbe.exe 35 PID 2464 wrote to memory of 2996 2464 Qmlgonbe.exe 35 PID 2996 wrote to memory of 320 2996 Qecoqk32.exe 36 PID 2996 wrote to memory of 320 2996 Qecoqk32.exe 36 PID 2996 wrote to memory of 320 2996 Qecoqk32.exe 36 PID 2996 wrote to memory of 320 2996 Qecoqk32.exe 36 PID 320 wrote to memory of 1732 320 Ahakmf32.exe 37 PID 320 wrote to memory of 1732 320 Ahakmf32.exe 37 PID 320 wrote to memory of 1732 320 Ahakmf32.exe 37 PID 320 wrote to memory of 1732 320 Ahakmf32.exe 37 PID 1732 wrote to memory of 1200 1732 Ankdiqih.exe 38 PID 1732 wrote to memory of 1200 1732 Ankdiqih.exe 38 PID 1732 wrote to memory of 1200 1732 Ankdiqih.exe 38 PID 1732 wrote to memory of 1200 1732 Ankdiqih.exe 38 PID 1200 wrote to memory of 1608 1200 Aplpai32.exe 39 PID 1200 wrote to memory of 1608 1200 Aplpai32.exe 39 PID 1200 wrote to memory of 1608 1200 Aplpai32.exe 39 PID 1200 wrote to memory of 1608 1200 Aplpai32.exe 39 PID 1608 wrote to memory of 2420 1608 Ahchbf32.exe 40 PID 1608 wrote to memory of 2420 1608 Ahchbf32.exe 40 PID 1608 wrote to memory of 2420 1608 Ahchbf32.exe 40 PID 1608 wrote to memory of 2420 1608 Ahchbf32.exe 40 PID 2420 wrote to memory of 2076 2420 Ajbdna32.exe 41 PID 2420 wrote to memory of 2076 2420 Ajbdna32.exe 41 PID 2420 wrote to memory of 2076 2420 Ajbdna32.exe 41 PID 2420 wrote to memory of 2076 2420 Ajbdna32.exe 41 PID 2076 wrote to memory of 308 2076 Ampqjm32.exe 42 PID 2076 wrote to memory of 308 2076 Ampqjm32.exe 42 PID 2076 wrote to memory of 308 2076 Ampqjm32.exe 42 PID 2076 wrote to memory of 308 2076 Ampqjm32.exe 42 PID 308 wrote to memory of 2036 308 Adjigg32.exe 43 PID 308 wrote to memory of 2036 308 Adjigg32.exe 43 PID 308 wrote to memory of 2036 308 Adjigg32.exe 43 PID 308 wrote to memory of 2036 308 Adjigg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\117c75c932982d691a3a2da0b7c681fcfa325475fc6d6afb2d9c5c94a8ecd172_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe33⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe35⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe37⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe38⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe39⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe40⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe45⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe46⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe48⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe49⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe52⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe56⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe58⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe59⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe61⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe62⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe63⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe64⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe65⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe67⤵PID:2804
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe68⤵PID:1536
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe70⤵PID:1100
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe71⤵PID:1700
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe72⤵PID:2360
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe74⤵PID:2456
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe75⤵PID:2452
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe76⤵PID:948
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe77⤵PID:1780
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe78⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe79⤵PID:1664
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe80⤵PID:2760
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe81⤵PID:636
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe82⤵PID:1984
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe84⤵PID:1172
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe85⤵PID:860
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe86⤵PID:2640
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe87⤵PID:2724
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe88⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe89⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe90⤵PID:804
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe92⤵PID:2720
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe93⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe95⤵PID:1308
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe96⤵PID:1868
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe97⤵
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe98⤵PID:1972
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe100⤵PID:2536
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe102⤵PID:2436
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe104⤵PID:936
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe105⤵PID:2160
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe106⤵PID:2668
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe107⤵PID:588
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe108⤵PID:1988
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe109⤵PID:1892
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe110⤵PID:1752
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe112⤵PID:2256
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe113⤵PID:2644
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe116⤵PID:2192
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1364 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe120⤵PID:900
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe121⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-