Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe
-
Size
128KB
-
MD5
bcb3c816663489bca1f5657e73b18360
-
SHA1
67a97769fa0a06354ad3ecba965dee1832e9a76a
-
SHA256
50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e
-
SHA512
34a3c432a643cc8d73b916f628cfa67c7705102383046dbb74a809fa2f0ef802f6610b26120ffaecab54dc9428d4910ba2b6d9b88a7027beb709b4bf2019f9a0
-
SSDEEP
3072:ZqEoHWUCzDHWaUpfogsS5DSCopsIm81+jq2832dp5Xp+7+10l:ZqEooDHW9AgsSZSCZj81+jq4peBl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdhjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqnejn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmhdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lclnemgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoloalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecejkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcknbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe -
Executes dropped EXE 64 IoCs
pid Process 2196 Aiinen32.exe 2344 Abbbnchb.exe 2832 Afmonbqk.exe 2640 Bpfcgg32.exe 2660 Boiccdnf.exe 2540 Bhahlj32.exe 1160 Bokphdld.exe 2868 Bloqah32.exe 3060 Bommnc32.exe 1984 Bghabf32.exe 344 Bopicc32.exe 2920 Bhhnli32.exe 280 Bjijdadm.exe 2312 Bdooajdc.exe 2500 Cgmkmecg.exe 2456 Cljcelan.exe 1152 Ccdlbf32.exe 1688 Cnippoha.exe 348 Cllpkl32.exe 548 Coklgg32.exe 2308 Cfeddafl.exe 1648 Cpjiajeb.exe 1884 Cciemedf.exe 900 Chemfl32.exe 1272 Ckdjbh32.exe 2032 Copfbfjj.exe 2844 Chhjkl32.exe 2820 Dflkdp32.exe 2764 Dhjgal32.exe 2872 Dqelenlc.exe 2692 Dhmcfkme.exe 2644 Dkkpbgli.exe 2856 Dbehoa32.exe 2900 Dnlidb32.exe 1128 Ddeaalpg.exe 2040 Dmafennb.exe 2744 Dcknbh32.exe 2896 Eihfjo32.exe 1776 Emcbkn32.exe 2140 Eflgccbp.exe 2708 Ejgcdb32.exe 572 Emeopn32.exe 1624 Epdkli32.exe 2056 Eilpeooq.exe 1000 Ekklaj32.exe 2288 Epfhbign.exe 1988 Eiomkn32.exe 1812 Egamfkdh.exe 1824 Enkece32.exe 2800 Ebgacddo.exe 2340 Eiaiqn32.exe 2684 Eloemi32.exe 2652 Ejbfhfaj.exe 2672 Ennaieib.exe 2592 Ealnephf.exe 2860 Fhffaj32.exe 3044 Fnpnndgp.exe 2408 Fmcoja32.exe 324 Fejgko32.exe 656 Fhhcgj32.exe 2616 Ffkcbgek.exe 2380 Fnbkddem.exe 380 Faagpp32.exe 668 Fdoclk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 2196 Aiinen32.exe 2196 Aiinen32.exe 2344 Abbbnchb.exe 2344 Abbbnchb.exe 2832 Afmonbqk.exe 2832 Afmonbqk.exe 2640 Bpfcgg32.exe 2640 Bpfcgg32.exe 2660 Boiccdnf.exe 2660 Boiccdnf.exe 2540 Bhahlj32.exe 2540 Bhahlj32.exe 1160 Bokphdld.exe 1160 Bokphdld.exe 2868 Bloqah32.exe 2868 Bloqah32.exe 3060 Bommnc32.exe 3060 Bommnc32.exe 1984 Bghabf32.exe 1984 Bghabf32.exe 344 Bopicc32.exe 344 Bopicc32.exe 2920 Bhhnli32.exe 2920 Bhhnli32.exe 280 Bjijdadm.exe 280 Bjijdadm.exe 2312 Bdooajdc.exe 2312 Bdooajdc.exe 2500 Cgmkmecg.exe 2500 Cgmkmecg.exe 2456 Cljcelan.exe 2456 Cljcelan.exe 1152 Ccdlbf32.exe 1152 Ccdlbf32.exe 1688 Cnippoha.exe 1688 Cnippoha.exe 348 Cllpkl32.exe 348 Cllpkl32.exe 548 Coklgg32.exe 548 Coklgg32.exe 2308 Cfeddafl.exe 2308 Cfeddafl.exe 1648 Cpjiajeb.exe 1648 Cpjiajeb.exe 1884 Cciemedf.exe 1884 Cciemedf.exe 900 Chemfl32.exe 900 Chemfl32.exe 1272 Ckdjbh32.exe 1272 Ckdjbh32.exe 2032 Copfbfjj.exe 2032 Copfbfjj.exe 2844 Chhjkl32.exe 2844 Chhjkl32.exe 2820 Dflkdp32.exe 2820 Dflkdp32.exe 2764 Dhjgal32.exe 2764 Dhjgal32.exe 2872 Dqelenlc.exe 2872 Dqelenlc.exe 2692 Dhmcfkme.exe 2692 Dhmcfkme.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmfbogcn.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Fdebncjd.dll Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Pkfceo32.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Napoohch.dll Aeenochi.exe File created C:\Windows\SysWOW64\Kmgbdo32.exe Kilfcpqm.exe File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe Afnagk32.exe File created C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hjhhocjj.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Jkdpanhg.exe File opened for modification C:\Windows\SysWOW64\Mhdplq32.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Ejkima32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Piphee32.exe File created C:\Windows\SysWOW64\Mmdcie32.dll Leljop32.exe File created C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Lpgimglf.dll Ijbdha32.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Emcbkn32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Mbmjah32.exe Mponel32.exe File created C:\Windows\SysWOW64\Mahqjm32.dll Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Cpjiajeb.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Dlcdphdj.dll Chemfl32.exe File created C:\Windows\SysWOW64\Ckcmac32.dll Jjojofgn.exe File created C:\Windows\SysWOW64\Bnilfo32.dll Ppbfpd32.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Flehkhai.exe File created C:\Windows\SysWOW64\Chemfl32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Jooafm32.dll Leonofpp.exe File created C:\Windows\SysWOW64\Keednado.exe Kbfhbeek.exe File opened for modification C:\Windows\SysWOW64\Abeemhkh.exe Aniimjbo.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Epdkli32.exe File created C:\Windows\SysWOW64\Hmomkh32.dll Pqhijbog.exe File created C:\Windows\SysWOW64\Jhgkeald.dll Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Jnffgd32.exe File created C:\Windows\SysWOW64\Npojdpef.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Emeopn32.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File created C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File created C:\Windows\SysWOW64\Igonafba.exe Iccbqh32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Pheafa32.dll Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Dqelenlc.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Lpbjlbfp.dll Eiaiqn32.exe File created C:\Windows\SysWOW64\Figlolbf.exe Ffhpbacb.exe File created C:\Windows\SysWOW64\Jnqphi32.exe Jkbcln32.exe File opened for modification C:\Windows\SysWOW64\Lmolnh32.exe Lollckbk.exe File created C:\Windows\SysWOW64\Cdikkg32.exe Cpnojioo.exe File created C:\Windows\SysWOW64\Labkdack.exe Lndohedg.exe File created C:\Windows\SysWOW64\Pnalpimd.dll Ocfigjlp.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Monhhk32.exe File created C:\Windows\SysWOW64\Hqalfl32.dll Kincipnk.exe File opened for modification C:\Windows\SysWOW64\Lphhenhc.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hkpnhgge.exe File created C:\Windows\SysWOW64\Kpmlkp32.exe Kmopod32.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jgidao32.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qbelgood.exe File created C:\Windows\SysWOW64\Ipllekdl.exe Iheddndj.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Fbmcbbki.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Jbdonb32.exe Jofbag32.exe File created C:\Windows\SysWOW64\Eqnolc32.dll Nmpnhdfc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8164 8172 WerFault.exe 765 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mholen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhlhki32.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqhijbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmcjehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigchgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pledghce.dll" Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjcbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghjoa32.dll" Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Emeopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkjqde.dll" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leljop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biafnecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jddnncch.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biddmpnf.dll" Hakphqja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Faagpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmdpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmneda32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2196 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2196 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2196 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 2196 2208 50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe 28 PID 2196 wrote to memory of 2344 2196 Aiinen32.exe 29 PID 2196 wrote to memory of 2344 2196 Aiinen32.exe 29 PID 2196 wrote to memory of 2344 2196 Aiinen32.exe 29 PID 2196 wrote to memory of 2344 2196 Aiinen32.exe 29 PID 2344 wrote to memory of 2832 2344 Abbbnchb.exe 30 PID 2344 wrote to memory of 2832 2344 Abbbnchb.exe 30 PID 2344 wrote to memory of 2832 2344 Abbbnchb.exe 30 PID 2344 wrote to memory of 2832 2344 Abbbnchb.exe 30 PID 2832 wrote to memory of 2640 2832 Afmonbqk.exe 31 PID 2832 wrote to memory of 2640 2832 Afmonbqk.exe 31 PID 2832 wrote to memory of 2640 2832 Afmonbqk.exe 31 PID 2832 wrote to memory of 2640 2832 Afmonbqk.exe 31 PID 2640 wrote to memory of 2660 2640 Bpfcgg32.exe 32 PID 2640 wrote to memory of 2660 2640 Bpfcgg32.exe 32 PID 2640 wrote to memory of 2660 2640 Bpfcgg32.exe 32 PID 2640 wrote to memory of 2660 2640 Bpfcgg32.exe 32 PID 2660 wrote to memory of 2540 2660 Boiccdnf.exe 33 PID 2660 wrote to memory of 2540 2660 Boiccdnf.exe 33 PID 2660 wrote to memory of 2540 2660 Boiccdnf.exe 33 PID 2660 wrote to memory of 2540 2660 Boiccdnf.exe 33 PID 2540 wrote to memory of 1160 2540 Bhahlj32.exe 34 PID 2540 wrote to memory of 1160 2540 Bhahlj32.exe 34 PID 2540 wrote to memory of 1160 2540 Bhahlj32.exe 34 PID 2540 wrote to memory of 1160 2540 Bhahlj32.exe 34 PID 1160 wrote to memory of 2868 1160 Bokphdld.exe 35 PID 1160 wrote to memory of 2868 1160 Bokphdld.exe 35 PID 1160 wrote to memory of 2868 1160 Bokphdld.exe 35 PID 1160 wrote to memory of 2868 1160 Bokphdld.exe 35 PID 2868 wrote to memory of 3060 2868 Bloqah32.exe 36 PID 2868 wrote to memory of 3060 2868 Bloqah32.exe 36 PID 2868 wrote to memory of 3060 2868 Bloqah32.exe 36 PID 2868 wrote to memory of 3060 2868 Bloqah32.exe 36 PID 3060 wrote to memory of 1984 3060 Bommnc32.exe 37 PID 3060 wrote to memory of 1984 3060 Bommnc32.exe 37 PID 3060 wrote to memory of 1984 3060 Bommnc32.exe 37 PID 3060 wrote to memory of 1984 3060 Bommnc32.exe 37 PID 1984 wrote to memory of 344 1984 Bghabf32.exe 38 PID 1984 wrote to memory of 344 1984 Bghabf32.exe 38 PID 1984 wrote to memory of 344 1984 Bghabf32.exe 38 PID 1984 wrote to memory of 344 1984 Bghabf32.exe 38 PID 344 wrote to memory of 2920 344 Bopicc32.exe 39 PID 344 wrote to memory of 2920 344 Bopicc32.exe 39 PID 344 wrote to memory of 2920 344 Bopicc32.exe 39 PID 344 wrote to memory of 2920 344 Bopicc32.exe 39 PID 2920 wrote to memory of 280 2920 Bhhnli32.exe 40 PID 2920 wrote to memory of 280 2920 Bhhnli32.exe 40 PID 2920 wrote to memory of 280 2920 Bhhnli32.exe 40 PID 2920 wrote to memory of 280 2920 Bhhnli32.exe 40 PID 280 wrote to memory of 2312 280 Bjijdadm.exe 41 PID 280 wrote to memory of 2312 280 Bjijdadm.exe 41 PID 280 wrote to memory of 2312 280 Bjijdadm.exe 41 PID 280 wrote to memory of 2312 280 Bjijdadm.exe 41 PID 2312 wrote to memory of 2500 2312 Bdooajdc.exe 42 PID 2312 wrote to memory of 2500 2312 Bdooajdc.exe 42 PID 2312 wrote to memory of 2500 2312 Bdooajdc.exe 42 PID 2312 wrote to memory of 2500 2312 Bdooajdc.exe 42 PID 2500 wrote to memory of 2456 2500 Cgmkmecg.exe 43 PID 2500 wrote to memory of 2456 2500 Cgmkmecg.exe 43 PID 2500 wrote to memory of 2456 2500 Cgmkmecg.exe 43 PID 2500 wrote to memory of 2456 2500 Cgmkmecg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\50cfa5fa4e692a9e4da40a94e758a3884f73600acc7506edb29f2b2228340f7e_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:348 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe33⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe34⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe35⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe36⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe37⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe39⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe41⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe45⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe47⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe48⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe49⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe50⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe51⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe53⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe54⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe57⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe59⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe60⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe61⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe62⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe63⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe65⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe66⤵PID:2480
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe67⤵PID:2316
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe68⤵PID:964
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe69⤵PID:1052
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe70⤵PID:2488
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe71⤵PID:2256
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe73⤵PID:2596
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe74⤵PID:2916
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe75⤵PID:1968
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe76⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe77⤵PID:268
-
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe78⤵PID:2176
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe79⤵PID:840
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe80⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe81⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe82⤵PID:2476
-
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe83⤵PID:1796
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe84⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe85⤵PID:1756
-
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe86⤵PID:2788
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe87⤵PID:2392
-
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe88⤵PID:2576
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe89⤵PID:2536
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe90⤵PID:3048
-
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe91⤵PID:2940
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe93⤵PID:1552
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe95⤵PID:2988
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe97⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe98⤵PID:1260
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe99⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe100⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe101⤵PID:2796
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe102⤵PID:2628
-
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe103⤵PID:2824
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe105⤵PID:2004
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe106⤵PID:2448
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe108⤵
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe109⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe110⤵PID:1828
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe111⤵PID:2664
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe112⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe113⤵PID:2564
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe114⤵PID:3052
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe115⤵PID:1836
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe117⤵PID:1680
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe118⤵PID:1872
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe119⤵PID:780
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe120⤵PID:2080
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-