Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 11:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe
-
Size
60KB
-
MD5
3f238704abcd2043bf7da35044726f30
-
SHA1
8d3069e007e7361b48af65fde15759c311c02c0b
-
SHA256
5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2
-
SHA512
1ee96caa1b8c12ccbf3b2a8d463d5d2e28ec02d49f1506b934ed6d91996d57422db2f82036a81ebbaabf5312127d5c46e9dc91ac2437f140028d10ef343d4120
-
SSDEEP
768:DoFzDzdyQuoJXgxC2zKfYpPpa+YAXl3SzPUwXd/Witwsw55zrCs9g4qRh7yre9/N:DSDMQXXAKQfdN555jGbUESB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlakpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdkao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnoomqbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdaee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehkodcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjddchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnechbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocimgp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2932 Ffpmnf32.exe 2672 Fphafl32.exe 2660 Fddmgjpo.exe 2548 Feeiob32.exe 2444 Globlmmj.exe 3012 Gpknlk32.exe 1916 Gbijhg32.exe 1476 Gfefiemq.exe 1432 Ghfbqn32.exe 2328 Gbkgnfbd.exe 1688 Gejcjbah.exe 268 Gldkfl32.exe 1900 Gobgcg32.exe 1704 Gbnccfpb.exe 2280 Ghkllmoi.exe 2508 Gmgdddmq.exe 2472 Geolea32.exe 1992 Gdamqndn.exe 1632 Gkkemh32.exe 860 Gkkemh32.exe 1628 Gphmeo32.exe 1016 Hgbebiao.exe 2496 Hiqbndpb.exe 2160 Hahjpbad.exe 3028 Hcifgjgc.exe 3004 Hkpnhgge.exe 2120 Hlakpp32.exe 2440 Hckcmjep.exe 292 Hejoiedd.exe 2580 Hlcgeo32.exe 2832 Hpocfncj.exe 112 Hgilchkf.exe 1460 Hellne32.exe 300 Hjhhocjj.exe 1664 Hlfdkoin.exe 468 Hodpgjha.exe 604 Hjjddchg.exe 1428 Icbimi32.exe 2612 Ieqeidnl.exe 2112 Ihoafpmp.exe 272 Ilknfn32.exe 2396 Inljnfkg.exe 1792 Ifcbodli.exe 2292 Idfbkq32.exe 2204 Iokfhi32.exe 2152 Inngcfid.exe 1800 Iajcde32.exe 1556 Ihdkao32.exe 1472 Iggkllpe.exe 828 Ijeghgoh.exe 2632 Iblpjdpk.exe 2936 Iqopea32.exe 2620 Icmlam32.exe 2408 Icmlam32.exe 1368 Ikddbj32.exe 2024 Ijgdngmf.exe 1560 Imfqjbli.exe 1672 Iqalka32.exe 2308 Idmhkpml.exe 1448 Igkdgk32.exe 556 Ifnechbj.exe 2344 Jjjacf32.exe 848 Jmhmpb32.exe 2704 Jofiln32.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 2932 Ffpmnf32.exe 2932 Ffpmnf32.exe 2672 Fphafl32.exe 2672 Fphafl32.exe 2660 Fddmgjpo.exe 2660 Fddmgjpo.exe 2548 Feeiob32.exe 2548 Feeiob32.exe 2444 Globlmmj.exe 2444 Globlmmj.exe 3012 Gpknlk32.exe 3012 Gpknlk32.exe 1916 Gbijhg32.exe 1916 Gbijhg32.exe 1476 Gfefiemq.exe 1476 Gfefiemq.exe 1432 Ghfbqn32.exe 1432 Ghfbqn32.exe 2328 Gbkgnfbd.exe 2328 Gbkgnfbd.exe 1688 Gejcjbah.exe 1688 Gejcjbah.exe 268 Gldkfl32.exe 268 Gldkfl32.exe 1900 Gobgcg32.exe 1900 Gobgcg32.exe 1704 Gbnccfpb.exe 1704 Gbnccfpb.exe 2280 Ghkllmoi.exe 2280 Ghkllmoi.exe 2508 Gmgdddmq.exe 2508 Gmgdddmq.exe 2472 Geolea32.exe 2472 Geolea32.exe 1992 Gdamqndn.exe 1992 Gdamqndn.exe 1632 Gkkemh32.exe 1632 Gkkemh32.exe 860 Gkkemh32.exe 860 Gkkemh32.exe 1628 Gphmeo32.exe 1628 Gphmeo32.exe 1016 Hgbebiao.exe 1016 Hgbebiao.exe 2496 Hiqbndpb.exe 2496 Hiqbndpb.exe 2160 Hahjpbad.exe 2160 Hahjpbad.exe 3028 Hcifgjgc.exe 3028 Hcifgjgc.exe 3004 Hkpnhgge.exe 3004 Hkpnhgge.exe 2120 Hlakpp32.exe 2120 Hlakpp32.exe 2440 Hckcmjep.exe 2440 Hckcmjep.exe 292 Hejoiedd.exe 292 Hejoiedd.exe 2580 Hlcgeo32.exe 2580 Hlcgeo32.exe 2832 Hpocfncj.exe 2832 Hpocfncj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Phoccb32.dll Jokcgmee.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kmjfdejp.exe File created C:\Windows\SysWOW64\Fkeemhpn.dll Mpigfa32.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Ekelld32.exe File created C:\Windows\SysWOW64\Egllae32.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Hckcmjep.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Ihdkao32.exe File created C:\Windows\SysWOW64\Okhklfnh.dll Llnofpcg.exe File created C:\Windows\SysWOW64\Pqhmfm32.dll Ncgdbmmp.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Omfkke32.exe File created C:\Windows\SysWOW64\Ajjcbpdd.exe Afohaa32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cohigamf.exe File opened for modification C:\Windows\SysWOW64\Ifnechbj.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Mdkqqa32.exe Mamddf32.exe File opened for modification C:\Windows\SysWOW64\Mhgmapfi.exe Mdkqqa32.exe File opened for modification C:\Windows\SysWOW64\Mlkopcge.exe Mimbdhhb.exe File created C:\Windows\SysWOW64\Olmhdf32.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Gphmeo32.exe Gkkemh32.exe File opened for modification C:\Windows\SysWOW64\Iggkllpe.exe Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kgpjanje.exe File created C:\Windows\SysWOW64\Lfjqnjkh.exe Lldlqakb.exe File opened for modification C:\Windows\SysWOW64\Naoniipe.exe Noqamn32.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Doehqead.exe File opened for modification C:\Windows\SysWOW64\Imfqjbli.exe Ijgdngmf.exe File created C:\Windows\SysWOW64\Kmmcjehm.exe Knjbnh32.exe File created C:\Windows\SysWOW64\Daoiajfm.dll Lflmci32.exe File created C:\Windows\SysWOW64\Amdhhh32.dll Nlbeqb32.exe File created C:\Windows\SysWOW64\Llgodg32.dll Oopnlacm.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Jjjacf32.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jfghif32.exe File created C:\Windows\SysWOW64\Cnobnmpl.exe Cjdfmo32.exe File created C:\Windows\SysWOW64\Nnhkcj32.exe Nkiogn32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File created C:\Windows\SysWOW64\Efhhaddp.dll Dliijipn.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dkcofe32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Oonafa32.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Pikkiijf.exe Pjhknm32.exe File created C:\Windows\SysWOW64\Kijbioba.dll Doehqead.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Nehmdhja.exe File created C:\Windows\SysWOW64\Feljlnoc.dll Nhiffc32.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Nialog32.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Hjjddchg.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File opened for modification C:\Windows\SysWOW64\Mlibjc32.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Fbfqed32.dll Lfjqnjkh.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Edkcojga.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Ecqqpgli.exe File created C:\Windows\SysWOW64\Kaklpcoc.exe Kiccofna.exe File created C:\Windows\SysWOW64\Bcinmgng.dll Kcihlong.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4348 4312 WerFault.exe 432 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgbni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidengnp.dll" Anlmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpbheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmamfo32.dll" Mhdplq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocnbmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnopfoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" Gldkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Nkiogn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofjfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnhgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjobj32.dll" Lhbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najdnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbgbdkh.dll" Oqmmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goipbehm.dll" Ifnechbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbpkign.dll" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmmcjehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqiaclmk.dll" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bmpfojmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhfipcid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfoqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gpknlk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2932 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2932 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2932 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2932 2872 5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe 28 PID 2932 wrote to memory of 2672 2932 Ffpmnf32.exe 29 PID 2932 wrote to memory of 2672 2932 Ffpmnf32.exe 29 PID 2932 wrote to memory of 2672 2932 Ffpmnf32.exe 29 PID 2932 wrote to memory of 2672 2932 Ffpmnf32.exe 29 PID 2672 wrote to memory of 2660 2672 Fphafl32.exe 30 PID 2672 wrote to memory of 2660 2672 Fphafl32.exe 30 PID 2672 wrote to memory of 2660 2672 Fphafl32.exe 30 PID 2672 wrote to memory of 2660 2672 Fphafl32.exe 30 PID 2660 wrote to memory of 2548 2660 Fddmgjpo.exe 31 PID 2660 wrote to memory of 2548 2660 Fddmgjpo.exe 31 PID 2660 wrote to memory of 2548 2660 Fddmgjpo.exe 31 PID 2660 wrote to memory of 2548 2660 Fddmgjpo.exe 31 PID 2548 wrote to memory of 2444 2548 Feeiob32.exe 32 PID 2548 wrote to memory of 2444 2548 Feeiob32.exe 32 PID 2548 wrote to memory of 2444 2548 Feeiob32.exe 32 PID 2548 wrote to memory of 2444 2548 Feeiob32.exe 32 PID 2444 wrote to memory of 3012 2444 Globlmmj.exe 33 PID 2444 wrote to memory of 3012 2444 Globlmmj.exe 33 PID 2444 wrote to memory of 3012 2444 Globlmmj.exe 33 PID 2444 wrote to memory of 3012 2444 Globlmmj.exe 33 PID 3012 wrote to memory of 1916 3012 Gpknlk32.exe 34 PID 3012 wrote to memory of 1916 3012 Gpknlk32.exe 34 PID 3012 wrote to memory of 1916 3012 Gpknlk32.exe 34 PID 3012 wrote to memory of 1916 3012 Gpknlk32.exe 34 PID 1916 wrote to memory of 1476 1916 Gbijhg32.exe 35 PID 1916 wrote to memory of 1476 1916 Gbijhg32.exe 35 PID 1916 wrote to memory of 1476 1916 Gbijhg32.exe 35 PID 1916 wrote to memory of 1476 1916 Gbijhg32.exe 35 PID 1476 wrote to memory of 1432 1476 Gfefiemq.exe 36 PID 1476 wrote to memory of 1432 1476 Gfefiemq.exe 36 PID 1476 wrote to memory of 1432 1476 Gfefiemq.exe 36 PID 1476 wrote to memory of 1432 1476 Gfefiemq.exe 36 PID 1432 wrote to memory of 2328 1432 Ghfbqn32.exe 37 PID 1432 wrote to memory of 2328 1432 Ghfbqn32.exe 37 PID 1432 wrote to memory of 2328 1432 Ghfbqn32.exe 37 PID 1432 wrote to memory of 2328 1432 Ghfbqn32.exe 37 PID 2328 wrote to memory of 1688 2328 Gbkgnfbd.exe 38 PID 2328 wrote to memory of 1688 2328 Gbkgnfbd.exe 38 PID 2328 wrote to memory of 1688 2328 Gbkgnfbd.exe 38 PID 2328 wrote to memory of 1688 2328 Gbkgnfbd.exe 38 PID 1688 wrote to memory of 268 1688 Gejcjbah.exe 39 PID 1688 wrote to memory of 268 1688 Gejcjbah.exe 39 PID 1688 wrote to memory of 268 1688 Gejcjbah.exe 39 PID 1688 wrote to memory of 268 1688 Gejcjbah.exe 39 PID 268 wrote to memory of 1900 268 Gldkfl32.exe 40 PID 268 wrote to memory of 1900 268 Gldkfl32.exe 40 PID 268 wrote to memory of 1900 268 Gldkfl32.exe 40 PID 268 wrote to memory of 1900 268 Gldkfl32.exe 40 PID 1900 wrote to memory of 1704 1900 Gobgcg32.exe 41 PID 1900 wrote to memory of 1704 1900 Gobgcg32.exe 41 PID 1900 wrote to memory of 1704 1900 Gobgcg32.exe 41 PID 1900 wrote to memory of 1704 1900 Gobgcg32.exe 41 PID 1704 wrote to memory of 2280 1704 Gbnccfpb.exe 42 PID 1704 wrote to memory of 2280 1704 Gbnccfpb.exe 42 PID 1704 wrote to memory of 2280 1704 Gbnccfpb.exe 42 PID 1704 wrote to memory of 2280 1704 Gbnccfpb.exe 42 PID 2280 wrote to memory of 2508 2280 Ghkllmoi.exe 43 PID 2280 wrote to memory of 2508 2280 Ghkllmoi.exe 43 PID 2280 wrote to memory of 2508 2280 Ghkllmoi.exe 43 PID 2280 wrote to memory of 2508 2280 Ghkllmoi.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5ce3a3bbeb46a91973bf9fd8f36ecc7108b8c40a97a4f4b156187abe027431d2_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe33⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe34⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe35⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe39⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe40⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe42⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe43⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe45⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe46⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe47⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe48⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe51⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe52⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe53⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe55⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe58⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe59⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe60⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe65⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe66⤵PID:2768
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe67⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe69⤵PID:1696
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe70⤵PID:2232
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe71⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:704 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe73⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe75⤵PID:2000
-
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe76⤵PID:1512
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe77⤵PID:2448
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe78⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe79⤵PID:2864
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe82⤵PID:340
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe83⤵PID:2388
-
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe85⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe86⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe88⤵PID:2036
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe89⤵PID:1412
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe91⤵PID:2360
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe92⤵PID:1976
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe93⤵PID:1056
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe95⤵PID:1960
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe97⤵PID:2512
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe98⤵PID:2488
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe99⤵PID:2004
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe100⤵PID:1516
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe101⤵PID:2316
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe102⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe103⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe104⤵PID:1280
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe105⤵PID:1216
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe106⤵PID:2368
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe107⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe109⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe111⤵PID:2588
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe112⤵PID:2432
-
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe113⤵PID:2380
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe114⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe115⤵PID:1904
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe116⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe117⤵PID:1248
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe118⤵PID:620
-
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe119⤵PID:1596
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe120⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe121⤵
- Drops file in System32 directory
PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-