Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe
-
Size
148KB
-
MD5
528fa2a0e32ec881b11264a991490940
-
SHA1
f89d6fb32b5e37ea11be6daaa45ff4a5b4ef64ec
-
SHA256
2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16
-
SHA512
3ee949fb4720a7cd52cddffb0e04f5e4702af1db7a8bf84cf127eb5aa69a1582e9fa8228a9e43bba8fe2169cbca1615cd41176942b01065f3ac3a373f4506a9f
-
SSDEEP
3072:UHmj5NmUlDzHmDrdiqPnUWsY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:UH0NrDzHmDrdiq/UWsKOdzOdkOdezOd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjbgnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmmfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpleef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnqqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfbkq32.exe -
Executes dropped EXE 64 IoCs
pid Process 2516 Apomfh32.exe 2220 Ambmpmln.exe 3060 Aenbdoii.exe 2856 Afmonbqk.exe 1960 Bpfcgg32.exe 2608 Bhahlj32.exe 2440 Baildokg.exe 2940 Bloqah32.exe 2536 Balijo32.exe 2688 Bkdmcdoe.exe 2620 Bhhnli32.exe 1036 Bdooajdc.exe 2744 Cljcelan.exe 1252 Cjndop32.exe 2468 Cgbdhd32.exe 2332 Cciemedf.exe 384 Cjbmjplb.exe 1720 Cdlnkmha.exe 676 Clcflkic.exe 1340 Dqelenlc.exe 2052 Djnpnc32.exe 764 Dkmmhf32.exe 2884 Dfgmhd32.exe 980 Dfijnd32.exe 876 Djefobmk.exe 1004 Eflgccbp.exe 2180 Eijcpoac.exe 2612 Eilpeooq.exe 2984 Eecqjpee.exe 2640 Elmigj32.exe 2712 Egdilkbf.exe 3016 Ejbfhfaj.exe 1400 Flabbihl.exe 2496 Fejgko32.exe 2756 Fnbkddem.exe 2672 Faagpp32.exe 2404 Fmhheqje.exe 1324 Fdapak32.exe 2668 Fbdqmghm.exe 1248 Fbgmbg32.exe 2120 Globlmmj.exe 2264 Gpmjak32.exe 540 Gangic32.exe 576 Gkgkbipp.exe 840 Gelppaof.exe 1644 Gacpdbej.exe 348 Geolea32.exe 1728 Ggpimica.exe 2260 Gmjaic32.exe 560 Gddifnbk.exe 3048 Hknach32.exe 3004 Hahjpbad.exe 1668 Hdfflm32.exe 2224 Hgdbhi32.exe 2288 Hkpnhgge.exe 2108 Hpmgqnfl.exe 2592 Hckcmjep.exe 2724 Hlcgeo32.exe 2604 Hobcak32.exe 2936 Hellne32.exe 2824 Hjhhocjj.exe 1316 Hlfdkoin.exe 2772 Hodpgjha.exe 2736 Hjjddchg.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 2516 Apomfh32.exe 2516 Apomfh32.exe 2220 Ambmpmln.exe 2220 Ambmpmln.exe 3060 Aenbdoii.exe 3060 Aenbdoii.exe 2856 Afmonbqk.exe 2856 Afmonbqk.exe 1960 Bpfcgg32.exe 1960 Bpfcgg32.exe 2608 Bhahlj32.exe 2608 Bhahlj32.exe 2440 Baildokg.exe 2440 Baildokg.exe 2940 Bloqah32.exe 2940 Bloqah32.exe 2536 Balijo32.exe 2536 Balijo32.exe 2688 Bkdmcdoe.exe 2688 Bkdmcdoe.exe 2620 Bhhnli32.exe 2620 Bhhnli32.exe 1036 Bdooajdc.exe 1036 Bdooajdc.exe 2744 Cljcelan.exe 2744 Cljcelan.exe 1252 Cjndop32.exe 1252 Cjndop32.exe 2468 Cgbdhd32.exe 2468 Cgbdhd32.exe 2332 Cciemedf.exe 2332 Cciemedf.exe 384 Cjbmjplb.exe 384 Cjbmjplb.exe 1720 Cdlnkmha.exe 1720 Cdlnkmha.exe 676 Clcflkic.exe 676 Clcflkic.exe 1340 Dqelenlc.exe 1340 Dqelenlc.exe 2052 Djnpnc32.exe 2052 Djnpnc32.exe 764 Dkmmhf32.exe 764 Dkmmhf32.exe 2884 Dfgmhd32.exe 2884 Dfgmhd32.exe 980 Dfijnd32.exe 980 Dfijnd32.exe 876 Djefobmk.exe 876 Djefobmk.exe 1004 Eflgccbp.exe 1004 Eflgccbp.exe 2180 Eijcpoac.exe 2180 Eijcpoac.exe 2612 Eilpeooq.exe 2612 Eilpeooq.exe 2984 Eecqjpee.exe 2984 Eecqjpee.exe 2640 Elmigj32.exe 2640 Elmigj32.exe 2712 Egdilkbf.exe 2712 Egdilkbf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgggfhdc.dll Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Caknol32.exe Ckafbbph.exe File opened for modification C:\Windows\SysWOW64\Kneicieh.exe Kkgmgmfd.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Ecmkgokh.dll Hogmmjfo.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Noqamn32.exe File created C:\Windows\SysWOW64\Cgqjffca.dll Eflgccbp.exe File created C:\Windows\SysWOW64\Ahlgfdeq.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Noqamn32.exe Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Goipbehm.dll Igkdgk32.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dccagcgk.exe File created C:\Windows\SysWOW64\Fpmkde32.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Jbgbni32.exe Jqfffqpm.exe File created C:\Windows\SysWOW64\Gjpmgg32.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ocnfbo32.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dnoomqbg.exe File opened for modification C:\Windows\SysWOW64\Dkcofe32.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Aaaoij32.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Ahlgfdeq.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File created C:\Windows\SysWOW64\Bibkki32.dll Leajdfnm.exe File created C:\Windows\SysWOW64\Nbpiak32.dll Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Noqamn32.exe Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Qmfgjh32.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Cdlgpgef.exe Cclkfdnc.exe File opened for modification C:\Windows\SysWOW64\Hjhhocjj.exe Hellne32.exe File created C:\Windows\SysWOW64\Oqhiplaj.dll Aekodi32.exe File created C:\Windows\SysWOW64\Mpefbknb.dll Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Bnilfo32.dll Ppbfpd32.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Jfqahgpg.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Keoapb32.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Njabih32.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Caknol32.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Logbhl32.exe File created C:\Windows\SysWOW64\Onhgbmfb.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Egllae32.exe Eqbddk32.exe File created C:\Windows\SysWOW64\Ppbfpd32.exe Papfegmk.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Egahmk32.dll Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Hbfcml32.dll Lhpfqama.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Jqfffqpm.exe Jiondcpk.exe File opened for modification C:\Windows\SysWOW64\Bmpfojmp.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Eqbddk32.exe File opened for modification C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dqelenlc.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Midahn32.dll Elmigj32.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Gfedefbi.dll Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Idfbkq32.exe Inljnfkg.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lhbcfa32.exe File created C:\Windows\SysWOW64\Inegme32.dll Egafleqm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3808 3760 WerFault.exe 287 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdhfji.dll" Anafhopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kkijmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dbhnhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmocpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baildokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Lhpfqama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mkgfckcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anafhopc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmccf32.dll" Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqljpedj.dll" Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglbacld.dll" Cljcelan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bblogakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknqdmpf.dll" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpiak32.dll" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpecfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll" Qbelgood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iokfhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Aenbdoii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njabih32.dll" Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dccagcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnoomqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoffcnl.dll" Papfegmk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2516 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2516 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2516 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 28 PID 2300 wrote to memory of 2516 2300 2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe 28 PID 2516 wrote to memory of 2220 2516 Apomfh32.exe 29 PID 2516 wrote to memory of 2220 2516 Apomfh32.exe 29 PID 2516 wrote to memory of 2220 2516 Apomfh32.exe 29 PID 2516 wrote to memory of 2220 2516 Apomfh32.exe 29 PID 2220 wrote to memory of 3060 2220 Ambmpmln.exe 30 PID 2220 wrote to memory of 3060 2220 Ambmpmln.exe 30 PID 2220 wrote to memory of 3060 2220 Ambmpmln.exe 30 PID 2220 wrote to memory of 3060 2220 Ambmpmln.exe 30 PID 3060 wrote to memory of 2856 3060 Aenbdoii.exe 31 PID 3060 wrote to memory of 2856 3060 Aenbdoii.exe 31 PID 3060 wrote to memory of 2856 3060 Aenbdoii.exe 31 PID 3060 wrote to memory of 2856 3060 Aenbdoii.exe 31 PID 2856 wrote to memory of 1960 2856 Afmonbqk.exe 32 PID 2856 wrote to memory of 1960 2856 Afmonbqk.exe 32 PID 2856 wrote to memory of 1960 2856 Afmonbqk.exe 32 PID 2856 wrote to memory of 1960 2856 Afmonbqk.exe 32 PID 1960 wrote to memory of 2608 1960 Bpfcgg32.exe 33 PID 1960 wrote to memory of 2608 1960 Bpfcgg32.exe 33 PID 1960 wrote to memory of 2608 1960 Bpfcgg32.exe 33 PID 1960 wrote to memory of 2608 1960 Bpfcgg32.exe 33 PID 2608 wrote to memory of 2440 2608 Bhahlj32.exe 34 PID 2608 wrote to memory of 2440 2608 Bhahlj32.exe 34 PID 2608 wrote to memory of 2440 2608 Bhahlj32.exe 34 PID 2608 wrote to memory of 2440 2608 Bhahlj32.exe 34 PID 2440 wrote to memory of 2940 2440 Baildokg.exe 35 PID 2440 wrote to memory of 2940 2440 Baildokg.exe 35 PID 2440 wrote to memory of 2940 2440 Baildokg.exe 35 PID 2440 wrote to memory of 2940 2440 Baildokg.exe 35 PID 2940 wrote to memory of 2536 2940 Bloqah32.exe 36 PID 2940 wrote to memory of 2536 2940 Bloqah32.exe 36 PID 2940 wrote to memory of 2536 2940 Bloqah32.exe 36 PID 2940 wrote to memory of 2536 2940 Bloqah32.exe 36 PID 2536 wrote to memory of 2688 2536 Balijo32.exe 37 PID 2536 wrote to memory of 2688 2536 Balijo32.exe 37 PID 2536 wrote to memory of 2688 2536 Balijo32.exe 37 PID 2536 wrote to memory of 2688 2536 Balijo32.exe 37 PID 2688 wrote to memory of 2620 2688 Bkdmcdoe.exe 38 PID 2688 wrote to memory of 2620 2688 Bkdmcdoe.exe 38 PID 2688 wrote to memory of 2620 2688 Bkdmcdoe.exe 38 PID 2688 wrote to memory of 2620 2688 Bkdmcdoe.exe 38 PID 2620 wrote to memory of 1036 2620 Bhhnli32.exe 39 PID 2620 wrote to memory of 1036 2620 Bhhnli32.exe 39 PID 2620 wrote to memory of 1036 2620 Bhhnli32.exe 39 PID 2620 wrote to memory of 1036 2620 Bhhnli32.exe 39 PID 1036 wrote to memory of 2744 1036 Bdooajdc.exe 40 PID 1036 wrote to memory of 2744 1036 Bdooajdc.exe 40 PID 1036 wrote to memory of 2744 1036 Bdooajdc.exe 40 PID 1036 wrote to memory of 2744 1036 Bdooajdc.exe 40 PID 2744 wrote to memory of 1252 2744 Cljcelan.exe 41 PID 2744 wrote to memory of 1252 2744 Cljcelan.exe 41 PID 2744 wrote to memory of 1252 2744 Cljcelan.exe 41 PID 2744 wrote to memory of 1252 2744 Cljcelan.exe 41 PID 1252 wrote to memory of 2468 1252 Cjndop32.exe 42 PID 1252 wrote to memory of 2468 1252 Cjndop32.exe 42 PID 1252 wrote to memory of 2468 1252 Cjndop32.exe 42 PID 1252 wrote to memory of 2468 1252 Cjndop32.exe 42 PID 2468 wrote to memory of 2332 2468 Cgbdhd32.exe 43 PID 2468 wrote to memory of 2332 2468 Cgbdhd32.exe 43 PID 2468 wrote to memory of 2332 2468 Cgbdhd32.exe 43 PID 2468 wrote to memory of 2332 2468 Cgbdhd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2ba57a2ab0cd0681d77cd1ed50c2ee2169d4ae6c342f41cbce4e11dc4727cb16_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe34⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe37⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe38⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe40⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe41⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe42⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe43⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe46⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe48⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe50⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe51⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe54⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe59⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe60⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe62⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe64⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe65⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1276 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe67⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe68⤵
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe69⤵PID:1008
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe70⤵PID:1520
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe71⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe72⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe74⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe75⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe77⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe78⤵PID:2596
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe79⤵PID:2456
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe80⤵PID:1656
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe81⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe83⤵PID:2752
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe84⤵PID:2932
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe85⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe86⤵PID:2004
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe88⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe89⤵PID:3024
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe90⤵PID:2024
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe91⤵PID:2340
-
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe93⤵PID:2840
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe95⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe96⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe98⤵PID:1188
-
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe99⤵PID:1724
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe100⤵PID:2064
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe102⤵PID:1716
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe104⤵PID:2908
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe105⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe107⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe108⤵PID:2560
-
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe109⤵PID:2812
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe110⤵PID:2912
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe111⤵PID:2476
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe112⤵PID:1524
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe113⤵PID:1808
-
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe114⤵PID:1448
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe116⤵PID:1948
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe117⤵PID:672
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe118⤵PID:1612
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe119⤵PID:960
-
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe120⤵PID:2896
-
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe121⤵PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-