Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 21:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe
-
Size
57KB
-
MD5
c195ef59bb4988c36b01da9cd237c620
-
SHA1
5efa2c70f923bc0ef6db5bbbc12794348f4f61cc
-
SHA256
1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c
-
SHA512
dd532ca52b54e98e8cb212a14181b0cc4fae828285981ac176686af4b5ae4f19aea0fc6fd4d2a9de83dc1aa321ba91425ae6591b2ec3a1b67e2d688567756e30
-
SSDEEP
1536:+RlCVN6hqZP4L74+8KPinHnqEBjjP2u45MBjj:qEVvwvX7MrBjjPtrj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblpjdpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpnanch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgljfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe -
Executes dropped EXE 64 IoCs
pid Process 2360 Ghfbqn32.exe 2524 Ghhofmql.exe 2572 Gbnccfpb.exe 2644 Ghkllmoi.exe 2432 Gmgdddmq.exe 2416 Gacpdbej.exe 1212 Gogangdc.exe 2764 Gddifnbk.exe 2888 Hiqbndpb.exe 2196 Hdfflm32.exe 1900 Hkpnhgge.exe 2884 Hdhbam32.exe 888 Hggomh32.exe 2348 Hpocfncj.exe 1564 Hgilchkf.exe 628 Hhjhkq32.exe 1452 Hpapln32.exe 2996 Hhmepp32.exe 2224 Icbimi32.exe 1556 Iaeiieeb.exe 1880 Ihoafpmp.exe 2992 Iknnbklc.exe 2236 Ioijbj32.exe 1788 Ifcbodli.exe 1440 Idfbkq32.exe 2320 Iajcde32.exe 2188 Iqmcpahh.exe 2908 Inqcif32.exe 2584 Iblpjdpk.exe 1680 Iqopea32.exe 2684 Incpoe32.exe 2408 Idmhkpml.exe 2552 Jjjacf32.exe 2272 Jcbellac.exe 2744 Jiondcpk.exe 1860 Jcdbbloa.exe 320 Jfcnngnd.exe 332 Jbjochdi.exe 2696 Jonplmcb.exe 1648 Jbllihbf.exe 2932 Jnclnihj.exe 2216 Kaaijdgn.exe 544 Kgkafo32.exe 2248 Kneicieh.exe 2812 Kmjfdejp.exe 948 Keanebkb.exe 1560 Kcdnao32.exe 788 Kmmcjehm.exe 984 Kpkofpgq.exe 2180 Kgbggnhc.exe 1548 Kjqccigf.exe 3008 Kpmlkp32.exe 2816 Kcihlong.exe 2804 Kjcpii32.exe 2980 Kmaled32.exe 2460 Lckdanld.exe 2280 Lemaif32.exe 2716 Lihmjejl.exe 2648 Llfifq32.exe 1188 Loeebl32.exe 2452 Lijjoe32.exe 1016 Lhmjkaoc.exe 2940 Lliflp32.exe 2244 Lbcnhjnj.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 2360 Ghfbqn32.exe 2360 Ghfbqn32.exe 2524 Ghhofmql.exe 2524 Ghhofmql.exe 2572 Gbnccfpb.exe 2572 Gbnccfpb.exe 2644 Ghkllmoi.exe 2644 Ghkllmoi.exe 2432 Gmgdddmq.exe 2432 Gmgdddmq.exe 2416 Gacpdbej.exe 2416 Gacpdbej.exe 1212 Gogangdc.exe 1212 Gogangdc.exe 2764 Gddifnbk.exe 2764 Gddifnbk.exe 2888 Hiqbndpb.exe 2888 Hiqbndpb.exe 2196 Hdfflm32.exe 2196 Hdfflm32.exe 1900 Hkpnhgge.exe 1900 Hkpnhgge.exe 2884 Hdhbam32.exe 2884 Hdhbam32.exe 888 Hggomh32.exe 888 Hggomh32.exe 2348 Hpocfncj.exe 2348 Hpocfncj.exe 1564 Hgilchkf.exe 1564 Hgilchkf.exe 628 Hhjhkq32.exe 628 Hhjhkq32.exe 1452 Hpapln32.exe 1452 Hpapln32.exe 2996 Hhmepp32.exe 2996 Hhmepp32.exe 2224 Icbimi32.exe 2224 Icbimi32.exe 1556 Iaeiieeb.exe 1556 Iaeiieeb.exe 1880 Ihoafpmp.exe 1880 Ihoafpmp.exe 2992 Iknnbklc.exe 2992 Iknnbklc.exe 2236 Ioijbj32.exe 2236 Ioijbj32.exe 1788 Ifcbodli.exe 1788 Ifcbodli.exe 1440 Idfbkq32.exe 1440 Idfbkq32.exe 2320 Iajcde32.exe 2320 Iajcde32.exe 2188 Iqmcpahh.exe 2188 Iqmcpahh.exe 2908 Inqcif32.exe 2908 Inqcif32.exe 2584 Iblpjdpk.exe 2584 Iblpjdpk.exe 1680 Iqopea32.exe 1680 Iqopea32.exe 2684 Incpoe32.exe 2684 Incpoe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eofjhkoj.dll Djhphncm.exe File created C:\Windows\SysWOW64\Omabcb32.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Jiondcpk.exe Jcbellac.exe File created C:\Windows\SysWOW64\Jonplmcb.exe Jbjochdi.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Gbnccfpb.exe Ghhofmql.exe File created C:\Windows\SysWOW64\Jbjochdi.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Objbcm32.dll Pbhmnkjf.exe File opened for modification C:\Windows\SysWOW64\Pbhmnkjf.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Cgejac32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Ckafbbph.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jfcnngnd.exe File opened for modification C:\Windows\SysWOW64\Mimbdhhb.exe Mgnfhlin.exe File opened for modification C:\Windows\SysWOW64\Mpigfa32.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Nefpnhlc.exe File created C:\Windows\SysWOW64\Pqhpdhcc.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cnaocmmi.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File created C:\Windows\SysWOW64\Aidnohbk.exe Abjebn32.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Fjaonpnn.exe Ebjglbml.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Iblpjdpk.exe Inqcif32.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mmahdggc.exe File opened for modification C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File created C:\Windows\SysWOW64\Njabih32.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Emdipg32.dll Jjjacf32.exe File created C:\Windows\SysWOW64\Pogjpc32.dll Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File opened for modification C:\Windows\SysWOW64\Ebmgcohn.exe Dkcofe32.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Bpgljfbl.exe File opened for modification C:\Windows\SysWOW64\Ifcbodli.exe Ioijbj32.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lajhofao.exe File created C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Cmeidehe.dll Nocnbmoo.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pjenhm32.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Dcadac32.exe Djhphncm.exe File opened for modification C:\Windows\SysWOW64\Ioijbj32.exe Iknnbklc.exe File created C:\Windows\SysWOW64\Naajoinb.exe Nocnbmoo.exe File created C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Oopnlacm.exe Ohfeog32.exe File created C:\Windows\SysWOW64\Mijgof32.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Ahdaee32.exe Aefeijle.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hhmepp32.exe File opened for modification C:\Windows\SysWOW64\Kpmlkp32.exe Kjqccigf.exe File opened for modification C:\Windows\SysWOW64\Lbeknj32.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lollckbk.exe File created C:\Windows\SysWOW64\Oceaboqg.dll Ngnbgplj.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Oacima32.dll Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Ahlgfdeq.exe Anccmo32.exe File created C:\Windows\SysWOW64\Mlkopcge.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Mhbped32.exe Meccii32.exe File opened for modification C:\Windows\SysWOW64\Dkcofe32.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Ebbgbdkh.dll Ohfeog32.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Hpapln32.exe File created C:\Windows\SysWOW64\Befkmkob.dll Afcenm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4080 4044 WerFault.exe 259 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copeil32.dll" Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfdejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchnel32.dll" Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll" Djmicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnhlblil.dll" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkllmoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgplkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihoafpmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjochdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlcbpdk.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqphdm32.dll" Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnhbg32.dll" Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll" Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" Hkpnhgge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lliflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjoqjhi.dll" Lafndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimpgolj.dll" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdnkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajhofao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngnbgplj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fioeja32.dll" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefijfii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2360 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 2360 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 2360 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 2360 2012 1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe 28 PID 2360 wrote to memory of 2524 2360 Ghfbqn32.exe 29 PID 2360 wrote to memory of 2524 2360 Ghfbqn32.exe 29 PID 2360 wrote to memory of 2524 2360 Ghfbqn32.exe 29 PID 2360 wrote to memory of 2524 2360 Ghfbqn32.exe 29 PID 2524 wrote to memory of 2572 2524 Ghhofmql.exe 30 PID 2524 wrote to memory of 2572 2524 Ghhofmql.exe 30 PID 2524 wrote to memory of 2572 2524 Ghhofmql.exe 30 PID 2524 wrote to memory of 2572 2524 Ghhofmql.exe 30 PID 2572 wrote to memory of 2644 2572 Gbnccfpb.exe 31 PID 2572 wrote to memory of 2644 2572 Gbnccfpb.exe 31 PID 2572 wrote to memory of 2644 2572 Gbnccfpb.exe 31 PID 2572 wrote to memory of 2644 2572 Gbnccfpb.exe 31 PID 2644 wrote to memory of 2432 2644 Ghkllmoi.exe 32 PID 2644 wrote to memory of 2432 2644 Ghkllmoi.exe 32 PID 2644 wrote to memory of 2432 2644 Ghkllmoi.exe 32 PID 2644 wrote to memory of 2432 2644 Ghkllmoi.exe 32 PID 2432 wrote to memory of 2416 2432 Gmgdddmq.exe 33 PID 2432 wrote to memory of 2416 2432 Gmgdddmq.exe 33 PID 2432 wrote to memory of 2416 2432 Gmgdddmq.exe 33 PID 2432 wrote to memory of 2416 2432 Gmgdddmq.exe 33 PID 2416 wrote to memory of 1212 2416 Gacpdbej.exe 34 PID 2416 wrote to memory of 1212 2416 Gacpdbej.exe 34 PID 2416 wrote to memory of 1212 2416 Gacpdbej.exe 34 PID 2416 wrote to memory of 1212 2416 Gacpdbej.exe 34 PID 1212 wrote to memory of 2764 1212 Gogangdc.exe 35 PID 1212 wrote to memory of 2764 1212 Gogangdc.exe 35 PID 1212 wrote to memory of 2764 1212 Gogangdc.exe 35 PID 1212 wrote to memory of 2764 1212 Gogangdc.exe 35 PID 2764 wrote to memory of 2888 2764 Gddifnbk.exe 36 PID 2764 wrote to memory of 2888 2764 Gddifnbk.exe 36 PID 2764 wrote to memory of 2888 2764 Gddifnbk.exe 36 PID 2764 wrote to memory of 2888 2764 Gddifnbk.exe 36 PID 2888 wrote to memory of 2196 2888 Hiqbndpb.exe 37 PID 2888 wrote to memory of 2196 2888 Hiqbndpb.exe 37 PID 2888 wrote to memory of 2196 2888 Hiqbndpb.exe 37 PID 2888 wrote to memory of 2196 2888 Hiqbndpb.exe 37 PID 2196 wrote to memory of 1900 2196 Hdfflm32.exe 38 PID 2196 wrote to memory of 1900 2196 Hdfflm32.exe 38 PID 2196 wrote to memory of 1900 2196 Hdfflm32.exe 38 PID 2196 wrote to memory of 1900 2196 Hdfflm32.exe 38 PID 1900 wrote to memory of 2884 1900 Hkpnhgge.exe 39 PID 1900 wrote to memory of 2884 1900 Hkpnhgge.exe 39 PID 1900 wrote to memory of 2884 1900 Hkpnhgge.exe 39 PID 1900 wrote to memory of 2884 1900 Hkpnhgge.exe 39 PID 2884 wrote to memory of 888 2884 Hdhbam32.exe 40 PID 2884 wrote to memory of 888 2884 Hdhbam32.exe 40 PID 2884 wrote to memory of 888 2884 Hdhbam32.exe 40 PID 2884 wrote to memory of 888 2884 Hdhbam32.exe 40 PID 888 wrote to memory of 2348 888 Hggomh32.exe 41 PID 888 wrote to memory of 2348 888 Hggomh32.exe 41 PID 888 wrote to memory of 2348 888 Hggomh32.exe 41 PID 888 wrote to memory of 2348 888 Hggomh32.exe 41 PID 2348 wrote to memory of 1564 2348 Hpocfncj.exe 42 PID 2348 wrote to memory of 1564 2348 Hpocfncj.exe 42 PID 2348 wrote to memory of 1564 2348 Hpocfncj.exe 42 PID 2348 wrote to memory of 1564 2348 Hpocfncj.exe 42 PID 1564 wrote to memory of 628 1564 Hgilchkf.exe 43 PID 1564 wrote to memory of 628 1564 Hgilchkf.exe 43 PID 1564 wrote to memory of 628 1564 Hgilchkf.exe 43 PID 1564 wrote to memory of 628 1564 Hgilchkf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1570cf68ed1744140636d808e3a8454247b81153badd7984f6779fa3167ddd6c_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe33⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe36⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe40⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe41⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe44⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe45⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe48⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe49⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe51⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe53⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe56⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe57⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe59⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe61⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe62⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe63⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe66⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe67⤵PID:500
-
C:\Windows\SysWOW64\Limfed32.exeC:\Windows\system32\Limfed32.exe68⤵PID:1980
-
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe69⤵PID:1696
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe71⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe72⤵PID:2000
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe73⤵PID:2148
-
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe74⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe75⤵PID:240
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe76⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe78⤵PID:2936
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe79⤵PID:2372
-
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe80⤵PID:2472
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe81⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe83⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe84⤵PID:2836
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe88⤵PID:2392
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe89⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe91⤵PID:2748
-
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe92⤵PID:2200
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe94⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe97⤵PID:1104
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe98⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe99⤵PID:1852
-
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe100⤵PID:2292
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe101⤵PID:1656
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe102⤵PID:3004
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe103⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe104⤵PID:2380
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe105⤵PID:2428
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe107⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe108⤵PID:1796
-
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe109⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe112⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe115⤵PID:2692
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe116⤵PID:2404
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe117⤵PID:2736
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe118⤵
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe119⤵PID:1988
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe120⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe121⤵PID:2592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-