Analysis
-
max time kernel
158s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 02:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe
-
Size
117KB
-
MD5
5fadbea69c054f3aa945003969529a00
-
SHA1
f206be74fdc0259a5e20cef143abc4189ae784e7
-
SHA256
222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43
-
SHA512
ecf8de5e06c06c8bb06f8febd6286a9fa07fe99f60b2f27383e6e20a716ad9f7885c76fe88a7e5e90208842757f795302c2fc32e58b4da25252fab9eac700beb
-
SSDEEP
1536:vFOZULQniJh7knN3dshOyBrAIdKpLH8c9KwBnTTxFFfUN1Avhw6JCM:3aih7knZdcHBr1KacwoTTxFFfUrQlM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mojmbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoglmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkbdqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iljpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnkgbhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihlechfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgccccec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoplop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpfidh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capbaacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbaocfmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeghk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcplkoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjdjbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coldbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdbdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodfkpfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cemcqcgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefogop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gohfkemf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgimepmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibncmpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcjnikhc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekoddodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifjjacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplpfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggcgeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkllghoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlphjaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnenagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcccol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkilhjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffclml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhfokoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadqepkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmgladi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acheqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfgdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnkbdqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipflcnln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqdakjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qoboofnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oakbonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dannbogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elpknehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogkgmho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjhelnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmdojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nladpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jngbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpgda32.exe -
Executes dropped EXE 64 IoCs
pid Process 1136 Gehice32.exe 1596 Iljpgl32.exe 2528 Jkajnh32.exe 4568 Jjefao32.exe 1556 Kcbded32.exe 4636 Lbgjmnno.exe 1892 Mclpbqal.exe 700 Nlnkgbhp.exe 2432 Nbjpjl32.exe 4072 Nmbamdkm.exe 2820 Omigmc32.exe 4252 Pmpmnb32.exe 1068 Ppafpm32.exe 4844 Qipqibmf.exe 2712 Bqokhi32.exe 4760 Cgbfka32.exe 3828 Cdfgdf32.exe 628 Cjflblll.exe 2892 Dgnffp32.exe 4768 Egelgoah.exe 1668 Fnkdpgnh.exe 2984 Gajibq32.exe 3156 Hoglbc32.exe 1720 Jnmbjnlm.exe 1252 Jefgak32.exe 2548 Kkhidaeo.exe 2176 Kdeghfhj.exe 4964 Kffphhmj.exe 1336 Lofjam32.exe 1988 Mbkmngfn.exe 4608 Mmcnap32.exe 4500 Nbepdfnc.exe 976 Niohap32.exe 1484 Ppnbpg32.exe 4516 Pbokab32.exe 2480 Aooolbep.exe 4460 Aepmjk32.exe 4968 Bpjkbcbe.exe 4624 Bidlqhgc.exe 2100 Ccajdmin.exe 4352 Ccipelcf.exe 2644 Cpmqoqbp.exe 4744 Dobnpm32.exe 2044 Dfclmfhl.exe 1220 Eqkmpo32.exe 2172 Efgehe32.exe 5020 Fqfmlm32.exe 1196 Fanbll32.exe 5116 Gmnfglcd.exe 4584 Gmpcmkaa.exe 3176 Hjdcfp32.exe 2992 Hanlcjgh.exe 2288 Hpchdf32.exe 4576 Haeadi32.exe 552 Hjmfmnhp.exe 2836 Hagnihom.exe 1980 Ifdgaond.exe 1804 Iajkohmj.exe 1400 Jmlkpgia.exe 3680 Jmqekg32.exe 3316 Lggeej32.exe 3544 Mhpeelnd.exe 3224 Mojmbf32.exe 4372 Mbkfcabb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdpndo32.dll Flmqem32.exe File opened for modification C:\Windows\SysWOW64\Ekladi32.exe Ehlhbn32.exe File opened for modification C:\Windows\SysWOW64\Pdkolm32.exe Pmafpchb.exe File created C:\Windows\SysWOW64\Mqpcdn32.exe Mbkfcabb.exe File created C:\Windows\SysWOW64\Inmggo32.exe Igcojdhp.exe File created C:\Windows\SysWOW64\Ccmaihoc.dll Aqjpod32.exe File opened for modification C:\Windows\SysWOW64\Lqhdlc32.exe Lcdcbokq.exe File created C:\Windows\SysWOW64\Aapeakij.exe Qdldgg32.exe File created C:\Windows\SysWOW64\Amibklml.exe Adanbffk.exe File opened for modification C:\Windows\SysWOW64\Iimcgg32.exe Ihmfmd32.exe File created C:\Windows\SysWOW64\Mmcnap32.exe Mbkmngfn.exe File created C:\Windows\SysWOW64\Pfjbic32.dll Cgbfka32.exe File opened for modification C:\Windows\SysWOW64\Igcojdhp.exe Ifbbbl32.exe File created C:\Windows\SysWOW64\Ibjgim32.dll Bfnnhj32.exe File opened for modification C:\Windows\SysWOW64\Iifmfh32.exe Hnphio32.exe File opened for modification C:\Windows\SysWOW64\Omigmc32.exe Nmbamdkm.exe File created C:\Windows\SysWOW64\Pmoijcje.exe Plmmbkdf.exe File created C:\Windows\SysWOW64\Flmqem32.exe Fpfppl32.exe File created C:\Windows\SysWOW64\Pieloojf.dll Knlknigf.exe File opened for modification C:\Windows\SysWOW64\Eopbghnb.exe Ehappnjj.exe File opened for modification C:\Windows\SysWOW64\Alplfpbp.exe Paqebike.exe File opened for modification C:\Windows\SysWOW64\Cemcqcgi.exe Blpemn32.exe File created C:\Windows\SysWOW64\Ojjoedfn.exe Ocpghj32.exe File created C:\Windows\SysWOW64\Bkgcaf32.dll Hoaocf32.exe File created C:\Windows\SysWOW64\Mflbdibj.exe Mnanpfdo.exe File opened for modification C:\Windows\SysWOW64\Fbplgbbb.exe Fgjhiibl.exe File created C:\Windows\SysWOW64\Hjdmjl32.dll Cdfgdf32.exe File opened for modification C:\Windows\SysWOW64\Bokeai32.exe Bjnmib32.exe File opened for modification C:\Windows\SysWOW64\Pmlmdd32.exe Phodlm32.exe File opened for modification C:\Windows\SysWOW64\Iimjan32.exe Ioeineap.exe File opened for modification C:\Windows\SysWOW64\Mfnojh32.exe Mmfkac32.exe File created C:\Windows\SysWOW64\Kpmmdl32.dll Agbgda32.exe File created C:\Windows\SysWOW64\Mpmnbbpe.dll Cpajdc32.exe File created C:\Windows\SysWOW64\Ipgkcabd.exe Iimcgg32.exe File opened for modification C:\Windows\SysWOW64\Kffphhmj.exe Kdeghfhj.exe File opened for modification C:\Windows\SysWOW64\Afgame32.exe Acheqi32.exe File created C:\Windows\SysWOW64\Nlnkgbhp.exe Mclpbqal.exe File opened for modification C:\Windows\SysWOW64\Piepnfnj.exe Pbiklmhp.exe File created C:\Windows\SysWOW64\Dgnned32.dll Ccbhhl32.exe File created C:\Windows\SysWOW64\Ckkilhjm.exe Cfnqdale.exe File opened for modification C:\Windows\SysWOW64\Plcdbghi.exe Pckpja32.exe File opened for modification C:\Windows\SysWOW64\Bhnqoo32.exe Bcahgh32.exe File opened for modification C:\Windows\SysWOW64\Icalij32.exe Ilhcmpeg.exe File created C:\Windows\SysWOW64\Bfkeej32.dll Bmhfddeq.exe File opened for modification C:\Windows\SysWOW64\Bjicnbba.exe Bcokah32.exe File created C:\Windows\SysWOW64\Ldgclgcl.exe Lgccccec.exe File created C:\Windows\SysWOW64\Odmbkolo.exe Omcjne32.exe File opened for modification C:\Windows\SysWOW64\Dbdjol32.exe Cbbnim32.exe File created C:\Windows\SysWOW64\Lqjqab32.exe Lqhdlc32.exe File created C:\Windows\SysWOW64\Pgoejapi.exe Ohnelj32.exe File created C:\Windows\SysWOW64\Eeojdk32.dll Epgndedc.exe File created C:\Windows\SysWOW64\Fpbmpc32.exe Fjfegl32.exe File created C:\Windows\SysWOW64\Dpphcf32.exe Djcoko32.exe File created C:\Windows\SysWOW64\Nhiknh32.dll Gkjhif32.exe File created C:\Windows\SysWOW64\Hpbajp32.exe Hihimfag.exe File created C:\Windows\SysWOW64\Pnbimd32.dll Eaekmdep.exe File opened for modification C:\Windows\SysWOW64\Hnodkjhq.exe Hhbkccji.exe File opened for modification C:\Windows\SysWOW64\Jkggfl32.exe Jqbbicel.exe File created C:\Windows\SysWOW64\Nclokbca.dll Boenam32.exe File created C:\Windows\SysWOW64\Bgfalfne.dll Ioebdomd.exe File created C:\Windows\SysWOW64\Bqboal32.dll Cpbgnlfo.exe File opened for modification C:\Windows\SysWOW64\Gicndaep.exe Gpkiklop.exe File created C:\Windows\SysWOW64\Pghiomqi.exe Pqihgcma.exe File created C:\Windows\SysWOW64\Ngkpei32.dll Cknlln32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 964 3600 WerFault.exe 710 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqihgcma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liddligi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflfp32.dll" Mlnijmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkqpd32.dll" Aeiooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noijmagb.dll" Ofcale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhklgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfdeo32.dll" Nlnkgbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Homcjh32.dll" Lofjam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlnjlkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folcdd32.dll" Nohicdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nllekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fionaboc.dll" Fapdomgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Codhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epgndedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkgc32.dll" Fkkemble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfdemn32.dll" Ggnenagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafogggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjbfig.dll" Bcahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dqkmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omnlck32.dll" Ijmobhdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ognpoheh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jliffj32.dll" Fgbmliee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olcklj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lebalokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gplpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeded32.dll" Cdkipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhpeelnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeado32.dll" Fifdqhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pckpja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhkfdcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbedffg.dll" Cbeaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enigek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiackied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oelhljaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqmjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogfcc32.dll" Bajqpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlegokbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdkk32.dll" Ggkiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpndo32.dll" Flmqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdmd32.dll" Jgonfcnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fphneijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeojdk32.dll" Epgndedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogfkpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjpokm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbcpgeg.dll" Nlfnkoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cipebqij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfkehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gacjkjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmmfl32.dll" Elncjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnpmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haceil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ackbfioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgjmbjb.dll" Ajdjcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqoijcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibogbimm.dll" Emphhhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hagodlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liekgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnanpfdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghdoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cobciblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bijnnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajdjcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbphlg32.dll" Gehice32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3712 wrote to memory of 1136 3712 222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe 93 PID 3712 wrote to memory of 1136 3712 222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe 93 PID 3712 wrote to memory of 1136 3712 222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe 93 PID 1136 wrote to memory of 1596 1136 Gehice32.exe 94 PID 1136 wrote to memory of 1596 1136 Gehice32.exe 94 PID 1136 wrote to memory of 1596 1136 Gehice32.exe 94 PID 1596 wrote to memory of 2528 1596 Iljpgl32.exe 95 PID 1596 wrote to memory of 2528 1596 Iljpgl32.exe 95 PID 1596 wrote to memory of 2528 1596 Iljpgl32.exe 95 PID 2528 wrote to memory of 4568 2528 Jkajnh32.exe 96 PID 2528 wrote to memory of 4568 2528 Jkajnh32.exe 96 PID 2528 wrote to memory of 4568 2528 Jkajnh32.exe 96 PID 4568 wrote to memory of 1556 4568 Jjefao32.exe 97 PID 4568 wrote to memory of 1556 4568 Jjefao32.exe 97 PID 4568 wrote to memory of 1556 4568 Jjefao32.exe 97 PID 1556 wrote to memory of 4636 1556 Kcbded32.exe 98 PID 1556 wrote to memory of 4636 1556 Kcbded32.exe 98 PID 1556 wrote to memory of 4636 1556 Kcbded32.exe 98 PID 4636 wrote to memory of 1892 4636 Lbgjmnno.exe 99 PID 4636 wrote to memory of 1892 4636 Lbgjmnno.exe 99 PID 4636 wrote to memory of 1892 4636 Lbgjmnno.exe 99 PID 1892 wrote to memory of 700 1892 Mclpbqal.exe 100 PID 1892 wrote to memory of 700 1892 Mclpbqal.exe 100 PID 1892 wrote to memory of 700 1892 Mclpbqal.exe 100 PID 700 wrote to memory of 2432 700 Nlnkgbhp.exe 101 PID 700 wrote to memory of 2432 700 Nlnkgbhp.exe 101 PID 700 wrote to memory of 2432 700 Nlnkgbhp.exe 101 PID 2432 wrote to memory of 4072 2432 Nbjpjl32.exe 102 PID 2432 wrote to memory of 4072 2432 Nbjpjl32.exe 102 PID 2432 wrote to memory of 4072 2432 Nbjpjl32.exe 102 PID 4072 wrote to memory of 2820 4072 Nmbamdkm.exe 103 PID 4072 wrote to memory of 2820 4072 Nmbamdkm.exe 103 PID 4072 wrote to memory of 2820 4072 Nmbamdkm.exe 103 PID 2820 wrote to memory of 4252 2820 Omigmc32.exe 104 PID 2820 wrote to memory of 4252 2820 Omigmc32.exe 104 PID 2820 wrote to memory of 4252 2820 Omigmc32.exe 104 PID 4252 wrote to memory of 1068 4252 Pmpmnb32.exe 105 PID 4252 wrote to memory of 1068 4252 Pmpmnb32.exe 105 PID 4252 wrote to memory of 1068 4252 Pmpmnb32.exe 105 PID 1068 wrote to memory of 4844 1068 Ppafpm32.exe 106 PID 1068 wrote to memory of 4844 1068 Ppafpm32.exe 106 PID 1068 wrote to memory of 4844 1068 Ppafpm32.exe 106 PID 4844 wrote to memory of 2712 4844 Qipqibmf.exe 107 PID 4844 wrote to memory of 2712 4844 Qipqibmf.exe 107 PID 4844 wrote to memory of 2712 4844 Qipqibmf.exe 107 PID 2712 wrote to memory of 4760 2712 Bqokhi32.exe 108 PID 2712 wrote to memory of 4760 2712 Bqokhi32.exe 108 PID 2712 wrote to memory of 4760 2712 Bqokhi32.exe 108 PID 4760 wrote to memory of 3828 4760 Cgbfka32.exe 109 PID 4760 wrote to memory of 3828 4760 Cgbfka32.exe 109 PID 4760 wrote to memory of 3828 4760 Cgbfka32.exe 109 PID 3828 wrote to memory of 628 3828 Cdfgdf32.exe 110 PID 3828 wrote to memory of 628 3828 Cdfgdf32.exe 110 PID 3828 wrote to memory of 628 3828 Cdfgdf32.exe 110 PID 628 wrote to memory of 2892 628 Cjflblll.exe 111 PID 628 wrote to memory of 2892 628 Cjflblll.exe 111 PID 628 wrote to memory of 2892 628 Cjflblll.exe 111 PID 2892 wrote to memory of 4768 2892 Dgnffp32.exe 112 PID 2892 wrote to memory of 4768 2892 Dgnffp32.exe 112 PID 2892 wrote to memory of 4768 2892 Dgnffp32.exe 112 PID 4768 wrote to memory of 1668 4768 Egelgoah.exe 113 PID 4768 wrote to memory of 1668 4768 Egelgoah.exe 113 PID 4768 wrote to memory of 1668 4768 Egelgoah.exe 113 PID 1668 wrote to memory of 2984 1668 Fnkdpgnh.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\222bd4fa71033f73ea3777bcfc834b5660951373b1a297fb0460ece25d380a43_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Iljpgl32.exeC:\Windows\system32\Iljpgl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Jkajnh32.exeC:\Windows\system32\Jkajnh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Kcbded32.exeC:\Windows\system32\Kcbded32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Mclpbqal.exeC:\Windows\system32\Mclpbqal.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Nlnkgbhp.exeC:\Windows\system32\Nlnkgbhp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Nbjpjl32.exeC:\Windows\system32\Nbjpjl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Nmbamdkm.exeC:\Windows\system32\Nmbamdkm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Ppafpm32.exeC:\Windows\system32\Ppafpm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Qipqibmf.exeC:\Windows\system32\Qipqibmf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Bqokhi32.exeC:\Windows\system32\Bqokhi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cgbfka32.exeC:\Windows\system32\Cgbfka32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Cdfgdf32.exeC:\Windows\system32\Cdfgdf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Cjflblll.exeC:\Windows\system32\Cjflblll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Dgnffp32.exeC:\Windows\system32\Dgnffp32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Fnkdpgnh.exeC:\Windows\system32\Fnkdpgnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe23⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hoglbc32.exeC:\Windows\system32\Hoglbc32.exe24⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Jnmbjnlm.exeC:\Windows\system32\Jnmbjnlm.exe25⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jefgak32.exeC:\Windows\system32\Jefgak32.exe26⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Kkhidaeo.exeC:\Windows\system32\Kkhidaeo.exe27⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kdeghfhj.exeC:\Windows\system32\Kdeghfhj.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe29⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Mbkmngfn.exeC:\Windows\system32\Mbkmngfn.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Mmcnap32.exeC:\Windows\system32\Mmcnap32.exe32⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Nbepdfnc.exeC:\Windows\system32\Nbepdfnc.exe33⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Niohap32.exeC:\Windows\system32\Niohap32.exe34⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Ppnbpg32.exeC:\Windows\system32\Ppnbpg32.exe35⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe36⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Aooolbep.exeC:\Windows\system32\Aooolbep.exe37⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Aepmjk32.exeC:\Windows\system32\Aepmjk32.exe38⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe39⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Bidlqhgc.exeC:\Windows\system32\Bidlqhgc.exe40⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ccajdmin.exeC:\Windows\system32\Ccajdmin.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ccipelcf.exeC:\Windows\system32\Ccipelcf.exe42⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Cpmqoqbp.exeC:\Windows\system32\Cpmqoqbp.exe43⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dobnpm32.exeC:\Windows\system32\Dobnpm32.exe44⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Dfclmfhl.exeC:\Windows\system32\Dfclmfhl.exe45⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Eqkmpo32.exeC:\Windows\system32\Eqkmpo32.exe46⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Efgehe32.exeC:\Windows\system32\Efgehe32.exe47⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Fqfmlm32.exeC:\Windows\system32\Fqfmlm32.exe48⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Fanbll32.exeC:\Windows\system32\Fanbll32.exe49⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Gmnfglcd.exeC:\Windows\system32\Gmnfglcd.exe50⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe51⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Hjdcfp32.exeC:\Windows\system32\Hjdcfp32.exe52⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe53⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe54⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Haeadi32.exeC:\Windows\system32\Haeadi32.exe55⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe56⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Hagnihom.exeC:\Windows\system32\Hagnihom.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ifdgaond.exeC:\Windows\system32\Ifdgaond.exe58⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Iajkohmj.exeC:\Windows\system32\Iajkohmj.exe59⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe60⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe61⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Lggeej32.exeC:\Windows\system32\Lggeej32.exe62⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Mbkfcabb.exeC:\Windows\system32\Mbkfcabb.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4372 -
C:\Windows\SysWOW64\Mqpcdn32.exeC:\Windows\system32\Mqpcdn32.exe66⤵PID:3164
-
C:\Windows\SysWOW64\Nildajdg.exeC:\Windows\system32\Nildajdg.exe67⤵PID:644
-
C:\Windows\SysWOW64\Ninafj32.exeC:\Windows\system32\Ninafj32.exe68⤵PID:2852
-
C:\Windows\SysWOW64\Nohicdia.exeC:\Windows\system32\Nohicdia.exe69⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Oelhljaq.exeC:\Windows\system32\Oelhljaq.exe70⤵
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Pbiklmhp.exeC:\Windows\system32\Pbiklmhp.exe71⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe72⤵PID:5052
-
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe73⤵
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Alplfpbp.exeC:\Windows\system32\Alplfpbp.exe74⤵PID:1900
-
C:\Windows\SysWOW64\Algbfo32.exeC:\Windows\system32\Algbfo32.exe75⤵PID:3844
-
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe76⤵PID:4336
-
C:\Windows\SysWOW64\Bedpjdoc.exeC:\Windows\system32\Bedpjdoc.exe77⤵PID:4992
-
C:\Windows\SysWOW64\Bajqpe32.exeC:\Windows\system32\Bajqpe32.exe78⤵
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Blpemn32.exeC:\Windows\system32\Blpemn32.exe79⤵
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Cemcqcgi.exeC:\Windows\system32\Cemcqcgi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Cpbgnlfo.exeC:\Windows\system32\Cpbgnlfo.exe81⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Cipebqij.exeC:\Windows\system32\Cipebqij.exe82⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Dlegokbe.exeC:\Windows\system32\Dlegokbe.exe83⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Dfphmp32.exeC:\Windows\system32\Dfphmp32.exe84⤵PID:5252
-
C:\Windows\SysWOW64\Elojej32.exeC:\Windows\system32\Elojej32.exe85⤵PID:5312
-
C:\Windows\SysWOW64\Ejegdngb.exeC:\Windows\system32\Ejegdngb.exe86⤵PID:5376
-
C:\Windows\SysWOW64\Emhmkh32.exeC:\Windows\system32\Emhmkh32.exe87⤵PID:5420
-
C:\Windows\SysWOW64\Fbgbione.exeC:\Windows\system32\Fbgbione.exe88⤵PID:5464
-
C:\Windows\SysWOW64\Fjqgpl32.exeC:\Windows\system32\Fjqgpl32.exe89⤵PID:5508
-
C:\Windows\SysWOW64\Fifdqhal.exeC:\Windows\system32\Fifdqhal.exe90⤵
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Gmkbgf32.exeC:\Windows\system32\Gmkbgf32.exe91⤵PID:5600
-
C:\Windows\SysWOW64\Gbjhelnp.exeC:\Windows\system32\Gbjhelnp.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Hmaihekc.exeC:\Windows\system32\Hmaihekc.exe93⤵PID:5688
-
C:\Windows\SysWOW64\Hclaeocp.exeC:\Windows\system32\Hclaeocp.exe94⤵PID:5740
-
C:\Windows\SysWOW64\Hihimfag.exeC:\Windows\system32\Hihimfag.exe95⤵
- Drops file in System32 directory
PID:5796 -
C:\Windows\SysWOW64\Hpbajp32.exeC:\Windows\system32\Hpbajp32.exe96⤵PID:5848
-
C:\Windows\SysWOW64\Hjhfgi32.exeC:\Windows\system32\Hjhfgi32.exe97⤵PID:5908
-
C:\Windows\SysWOW64\Hbcklkee.exeC:\Windows\system32\Hbcklkee.exe98⤵PID:5952
-
C:\Windows\SysWOW64\Hmioicek.exeC:\Windows\system32\Hmioicek.exe99⤵PID:5996
-
C:\Windows\SysWOW64\Ijmobhdd.exeC:\Windows\system32\Ijmobhdd.exe100⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Icedkn32.exeC:\Windows\system32\Icedkn32.exe101⤵PID:6088
-
C:\Windows\SysWOW64\Immhdc32.exeC:\Windows\system32\Immhdc32.exe102⤵PID:5124
-
C:\Windows\SysWOW64\Ibmmbj32.exeC:\Windows\system32\Ibmmbj32.exe103⤵PID:5192
-
C:\Windows\SysWOW64\Iiffoc32.exeC:\Windows\system32\Iiffoc32.exe104⤵PID:4220
-
C:\Windows\SysWOW64\Iiibdc32.exeC:\Windows\system32\Iiibdc32.exe105⤵PID:5336
-
C:\Windows\SysWOW64\Ifmcmg32.exeC:\Windows\system32\Ifmcmg32.exe106⤵PID:5460
-
C:\Windows\SysWOW64\Jdqcglqh.exeC:\Windows\system32\Jdqcglqh.exe107⤵PID:5540
-
C:\Windows\SysWOW64\Jdcplkoe.exeC:\Windows\system32\Jdcplkoe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Jdhigk32.exeC:\Windows\system32\Jdhigk32.exe109⤵PID:5720
-
C:\Windows\SysWOW64\Liekgo32.exeC:\Windows\system32\Liekgo32.exe110⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Lgikpc32.exeC:\Windows\system32\Lgikpc32.exe111⤵PID:5896
-
C:\Windows\SysWOW64\Lnccmnak.exeC:\Windows\system32\Lnccmnak.exe112⤵PID:5960
-
C:\Windows\SysWOW64\Laqlclga.exeC:\Windows\system32\Laqlclga.exe113⤵PID:6028
-
C:\Windows\SysWOW64\Lpfidh32.exeC:\Windows\system32\Lpfidh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6100 -
C:\Windows\SysWOW64\Maefnk32.exeC:\Windows\system32\Maefnk32.exe115⤵PID:5176
-
C:\Windows\SysWOW64\Mgbnfb32.exeC:\Windows\system32\Mgbnfb32.exe116⤵PID:5340
-
C:\Windows\SysWOW64\Nnhfokoc.exeC:\Windows\system32\Nnhfokoc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5448 -
C:\Windows\SysWOW64\Nnolojhk.exeC:\Windows\system32\Nnolojhk.exe118⤵PID:5588
-
C:\Windows\SysWOW64\Odidld32.exeC:\Windows\system32\Odidld32.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Pqihgcma.exeC:\Windows\system32\Pqihgcma.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pghiomqi.exeC:\Windows\system32\Pghiomqi.exe121⤵PID:1136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-