Analysis
-
max time kernel
139s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 00:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe
-
Size
256KB
-
MD5
0c1db4bdbfb31006020bceff82acff80
-
SHA1
a0c994374b35c88ecd3375a58a43c81d9afca909
-
SHA256
467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97
-
SHA512
3951cafb616bb41dfa24dd402876a997e9276aa758150e34ee88919ae208eaa3882fa0d5be9ecf29366b7a3b7035c9dcbcd69fac5a144b450d5f9ca262281e1c
-
SSDEEP
3072:JyMyj1plSTWqAhELy1MTT6e5f7N+Awrogsw+STWqAhELy1MTT6e5fAKkVyerze:JcjlSTYaT15f7o+STYaT15fAK8yL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmifhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpegcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclcijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocllehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egahen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heikgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibckfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngneph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifmbmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjofdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjklenpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcedkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqahqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcijeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgpbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhoag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhiplmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomgjb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Ffcllo32.exe 2616 Glpdde32.exe 2900 Gehhmkko.exe 2884 Gblifo32.exe 2516 Ghiaof32.exe 2424 Gembhj32.exe 464 Hafock32.exe 1500 Hjndlqal.exe 816 Hicqmmfc.exe 1932 Hifmbmda.exe 644 Hihjhl32.exe 1624 Ibckfa32.exe 612 Ioilkblq.exe 1744 Ikpmpc32.exe 2648 Idiaii32.exe 1268 Idmkdh32.exe 668 Jcedkd32.exe 812 Jolepe32.exe 1528 Jfhjbobc.exe 1200 Kglcogeo.exe 2044 Knekla32.exe 556 Kbcdbp32.exe 2296 Kddmdk32.exe 2080 Kcijeg32.exe 1692 Ljcbaamh.exe 2592 Lqmjnk32.exe 2724 Lfjcfb32.exe 2672 Lpedeg32.exe 2708 Lgpiij32.exe 2476 Lipecm32.exe 2784 Makjho32.exe 2752 Mlpneh32.exe 2520 Mclcijfd.exe 1672 Mpbdnk32.exe 2148 Nbjcqe32.exe 928 Ndnlnm32.exe 836 Nkhdkgnj.exe 1772 Nemhhpmp.exe 2644 Ngneph32.exe 1928 Nmhmlbkk.exe 1812 Ohnaik32.exe 1804 Oaffbqaa.exe 1604 Ogcnkgoh.exe 1576 Ommfga32.exe 1668 Opkccm32.exe 1896 Ogekpg32.exe 2068 Oidglb32.exe 1516 Ocllehcj.exe 1520 Oghhfg32.exe 2572 Oldpnn32.exe 3064 Oemegc32.exe 2388 Olgmcmgh.exe 2732 Pcaepg32.exe 2468 Pkljdj32.exe 2980 Pnjfae32.exe 2512 Phpjnnki.exe 2984 Pojbkh32.exe 2760 Pqkobqhd.exe 2860 Pgegok32.exe 1360 Pakllc32.exe 752 Pggdejno.exe 1788 Pmdmmalf.exe 3000 Qgjqjjll.exe 2316 Qmgibqjc.exe -
Loads dropped DLL 64 IoCs
pid Process 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 2888 Ffcllo32.exe 2888 Ffcllo32.exe 2616 Glpdde32.exe 2616 Glpdde32.exe 2900 Gehhmkko.exe 2900 Gehhmkko.exe 2884 Gblifo32.exe 2884 Gblifo32.exe 2516 Ghiaof32.exe 2516 Ghiaof32.exe 2424 Gembhj32.exe 2424 Gembhj32.exe 464 Hafock32.exe 464 Hafock32.exe 1500 Hjndlqal.exe 1500 Hjndlqal.exe 816 Hicqmmfc.exe 816 Hicqmmfc.exe 1932 Hifmbmda.exe 1932 Hifmbmda.exe 644 Hihjhl32.exe 644 Hihjhl32.exe 1624 Ibckfa32.exe 1624 Ibckfa32.exe 612 Ioilkblq.exe 612 Ioilkblq.exe 1744 Ikpmpc32.exe 1744 Ikpmpc32.exe 2648 Idiaii32.exe 2648 Idiaii32.exe 1268 Idmkdh32.exe 1268 Idmkdh32.exe 668 Jcedkd32.exe 668 Jcedkd32.exe 812 Jolepe32.exe 812 Jolepe32.exe 1528 Jfhjbobc.exe 1528 Jfhjbobc.exe 1200 Kglcogeo.exe 1200 Kglcogeo.exe 2044 Knekla32.exe 2044 Knekla32.exe 556 Kbcdbp32.exe 556 Kbcdbp32.exe 2296 Kddmdk32.exe 2296 Kddmdk32.exe 2080 Kcijeg32.exe 2080 Kcijeg32.exe 1692 Ljcbaamh.exe 1692 Ljcbaamh.exe 2592 Lqmjnk32.exe 2592 Lqmjnk32.exe 2724 Lfjcfb32.exe 2724 Lfjcfb32.exe 2672 Lpedeg32.exe 2672 Lpedeg32.exe 2708 Lgpiij32.exe 2708 Lgpiij32.exe 2476 Lipecm32.exe 2476 Lipecm32.exe 2784 Makjho32.exe 2784 Makjho32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hafock32.exe Gembhj32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Cakqgeoi.exe Chcloo32.exe File created C:\Windows\SysWOW64\Ljnnko32.exe Lohjnf32.exe File created C:\Windows\SysWOW64\Onfoin32.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Mlpneh32.exe Makjho32.exe File created C:\Windows\SysWOW64\Fclidamd.dll Eheecbia.exe File created C:\Windows\SysWOW64\Fidfcc32.dll Ejmhkiig.exe File opened for modification C:\Windows\SysWOW64\Pakllc32.exe Pgegok32.exe File created C:\Windows\SysWOW64\Fdkklp32.exe Fggkcl32.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Paiaplin.exe File opened for modification C:\Windows\SysWOW64\Lfjcfb32.exe Lqmjnk32.exe File created C:\Windows\SysWOW64\Nmejllia.exe Nenakoho.exe File created C:\Windows\SysWOW64\Gkclcjqj.dll Ncnngfna.exe File created C:\Windows\SysWOW64\Badnhbce.exe Ajjfkh32.exe File created C:\Windows\SysWOW64\Nmlnjo32.dll Aihfap32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dafmqb32.exe File created C:\Windows\SysWOW64\Kglcogeo.exe Jfhjbobc.exe File created C:\Windows\SysWOW64\Kbcdbp32.exe Knekla32.exe File opened for modification C:\Windows\SysWOW64\Nemhhpmp.exe Nkhdkgnj.exe File opened for modification C:\Windows\SysWOW64\Abfnpg32.exe Qmifhq32.exe File created C:\Windows\SysWOW64\Ddliip32.exe Cfhiplmp.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Diaaeepi.exe File created C:\Windows\SysWOW64\Pqimphik.dll Hblgnkdh.exe File created C:\Windows\SysWOW64\Afffenbp.exe Akabgebj.exe File created C:\Windows\SysWOW64\Bdcifi32.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Ieeeljdp.dll Agljom32.exe File opened for modification C:\Windows\SysWOW64\Fffefjmi.exe Eqjmncna.exe File created C:\Windows\SysWOW64\Mbpipp32.exe Mpamde32.exe File opened for modification C:\Windows\SysWOW64\Oaffbqaa.exe Ohnaik32.exe File created C:\Windows\SysWOW64\Lefggi32.dll Baigca32.exe File opened for modification C:\Windows\SysWOW64\Kbigpn32.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Eamjfeja.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Nmlkfoig.dll Opihgfop.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bchfhfeh.exe File created C:\Windows\SysWOW64\Fnbdfpji.dll Knbhlkkc.exe File opened for modification C:\Windows\SysWOW64\Dhkkbmnp.exe Difnaqih.exe File created C:\Windows\SysWOW64\Fplheofl.dll Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hldlga32.exe File created C:\Windows\SysWOW64\Paknelgk.exe Pidfdofi.exe File opened for modification C:\Windows\SysWOW64\Hihjhl32.exe Hifmbmda.exe File opened for modification C:\Windows\SysWOW64\Oldpnn32.exe Oghhfg32.exe File created C:\Windows\SysWOW64\Lldmleam.exe Lclicpkm.exe File created C:\Windows\SysWOW64\Pkdhln32.dll Akabgebj.exe File opened for modification C:\Windows\SysWOW64\Ikpmpc32.exe Ioilkblq.exe File created C:\Windows\SysWOW64\Fjinic32.dll 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Dhbhmb32.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Kghpoa32.exe Jpogbgmi.exe File opened for modification C:\Windows\SysWOW64\Amaelomh.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Epbfmd32.exe Eeielfhk.exe File opened for modification C:\Windows\SysWOW64\Mnbpjb32.exe Mejlalji.exe File opened for modification C:\Windows\SysWOW64\Ohagbj32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Ankojf32.dll Ooicid32.exe File created C:\Windows\SysWOW64\Ncehag32.dll Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Jpogbgmi.exe Jdhgnf32.exe File opened for modification C:\Windows\SysWOW64\Kohnoc32.exe Kjleflod.exe File opened for modification C:\Windows\SysWOW64\Nmejllia.exe Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Mlpneh32.exe Makjho32.exe File created C:\Windows\SysWOW64\Npolmh32.exe Nfghdcfj.exe File created C:\Windows\SysWOW64\Paiaplin.exe Pgcmbcih.exe File created C:\Windows\SysWOW64\Hkgoklhk.dll Pidfdofi.exe File created C:\Windows\SysWOW64\Dfqnol32.dll Qndkpmkm.exe File created C:\Windows\SysWOW64\Hicqmmfc.exe Hjndlqal.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4232 4200 WerFault.exe 345 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phpjnnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jniefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaipli32.dll" Ohojmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjkpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkppcjdc.dll" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minbnnfl.dll" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Bejfao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nigafnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" Ceebklai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehhmkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibnje32.dll" Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnkglik.dll" Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Omnipjni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfqgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnfackh.dll" Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onfoin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhjopbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmfjhcj.dll" Jpogbgmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opglafab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldchikb.dll" Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieebbp.dll" Ngneph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbncfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoiicijl.dll" Idmkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojijh32.dll" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifbl32.dll" Cakqgeoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclicpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gomlpk32.dll" Qgjqjjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egahen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdbjp32.dll" Nplimbka.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2888 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2888 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2888 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 28 PID 2952 wrote to memory of 2888 2952 467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2616 2888 Ffcllo32.exe 29 PID 2888 wrote to memory of 2616 2888 Ffcllo32.exe 29 PID 2888 wrote to memory of 2616 2888 Ffcllo32.exe 29 PID 2888 wrote to memory of 2616 2888 Ffcllo32.exe 29 PID 2616 wrote to memory of 2900 2616 Glpdde32.exe 30 PID 2616 wrote to memory of 2900 2616 Glpdde32.exe 30 PID 2616 wrote to memory of 2900 2616 Glpdde32.exe 30 PID 2616 wrote to memory of 2900 2616 Glpdde32.exe 30 PID 2900 wrote to memory of 2884 2900 Gehhmkko.exe 31 PID 2900 wrote to memory of 2884 2900 Gehhmkko.exe 31 PID 2900 wrote to memory of 2884 2900 Gehhmkko.exe 31 PID 2900 wrote to memory of 2884 2900 Gehhmkko.exe 31 PID 2884 wrote to memory of 2516 2884 Gblifo32.exe 32 PID 2884 wrote to memory of 2516 2884 Gblifo32.exe 32 PID 2884 wrote to memory of 2516 2884 Gblifo32.exe 32 PID 2884 wrote to memory of 2516 2884 Gblifo32.exe 32 PID 2516 wrote to memory of 2424 2516 Ghiaof32.exe 33 PID 2516 wrote to memory of 2424 2516 Ghiaof32.exe 33 PID 2516 wrote to memory of 2424 2516 Ghiaof32.exe 33 PID 2516 wrote to memory of 2424 2516 Ghiaof32.exe 33 PID 2424 wrote to memory of 464 2424 Gembhj32.exe 34 PID 2424 wrote to memory of 464 2424 Gembhj32.exe 34 PID 2424 wrote to memory of 464 2424 Gembhj32.exe 34 PID 2424 wrote to memory of 464 2424 Gembhj32.exe 34 PID 464 wrote to memory of 1500 464 Hafock32.exe 35 PID 464 wrote to memory of 1500 464 Hafock32.exe 35 PID 464 wrote to memory of 1500 464 Hafock32.exe 35 PID 464 wrote to memory of 1500 464 Hafock32.exe 35 PID 1500 wrote to memory of 816 1500 Hjndlqal.exe 36 PID 1500 wrote to memory of 816 1500 Hjndlqal.exe 36 PID 1500 wrote to memory of 816 1500 Hjndlqal.exe 36 PID 1500 wrote to memory of 816 1500 Hjndlqal.exe 36 PID 816 wrote to memory of 1932 816 Hicqmmfc.exe 37 PID 816 wrote to memory of 1932 816 Hicqmmfc.exe 37 PID 816 wrote to memory of 1932 816 Hicqmmfc.exe 37 PID 816 wrote to memory of 1932 816 Hicqmmfc.exe 37 PID 1932 wrote to memory of 644 1932 Hifmbmda.exe 38 PID 1932 wrote to memory of 644 1932 Hifmbmda.exe 38 PID 1932 wrote to memory of 644 1932 Hifmbmda.exe 38 PID 1932 wrote to memory of 644 1932 Hifmbmda.exe 38 PID 644 wrote to memory of 1624 644 Hihjhl32.exe 39 PID 644 wrote to memory of 1624 644 Hihjhl32.exe 39 PID 644 wrote to memory of 1624 644 Hihjhl32.exe 39 PID 644 wrote to memory of 1624 644 Hihjhl32.exe 39 PID 1624 wrote to memory of 612 1624 Ibckfa32.exe 40 PID 1624 wrote to memory of 612 1624 Ibckfa32.exe 40 PID 1624 wrote to memory of 612 1624 Ibckfa32.exe 40 PID 1624 wrote to memory of 612 1624 Ibckfa32.exe 40 PID 612 wrote to memory of 1744 612 Ioilkblq.exe 41 PID 612 wrote to memory of 1744 612 Ioilkblq.exe 41 PID 612 wrote to memory of 1744 612 Ioilkblq.exe 41 PID 612 wrote to memory of 1744 612 Ioilkblq.exe 41 PID 1744 wrote to memory of 2648 1744 Ikpmpc32.exe 42 PID 1744 wrote to memory of 2648 1744 Ikpmpc32.exe 42 PID 1744 wrote to memory of 2648 1744 Ikpmpc32.exe 42 PID 1744 wrote to memory of 2648 1744 Ikpmpc32.exe 42 PID 2648 wrote to memory of 1268 2648 Idiaii32.exe 43 PID 2648 wrote to memory of 1268 2648 Idiaii32.exe 43 PID 2648 wrote to memory of 1268 2648 Idiaii32.exe 43 PID 2648 wrote to memory of 1268 2648 Idiaii32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\467e8256593c2cb4803f8c8a945502a40661a210224afebac55b731c7f97ef97_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:668 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe33⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe35⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe39⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe41⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe44⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe47⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe51⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe52⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe53⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe54⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe56⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe61⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe62⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe63⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe65⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe66⤵PID:1752
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe70⤵PID:2208
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe71⤵PID:1684
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe74⤵PID:2492
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe75⤵PID:2252
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe76⤵PID:1616
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe78⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe79⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe80⤵PID:1076
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe82⤵PID:2660
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe83⤵PID:2856
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe84⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe86⤵PID:1276
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe87⤵PID:960
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe88⤵PID:2796
-
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe89⤵PID:2804
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe90⤵PID:2032
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe91⤵PID:2184
-
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe92⤵PID:2692
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe93⤵PID:2524
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe95⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe97⤵PID:580
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe98⤵PID:2368
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe99⤵PID:2472
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1448 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe101⤵
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe102⤵PID:2384
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe103⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe104⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe105⤵PID:1512
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe106⤵PID:1532
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe107⤵PID:1008
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe108⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe110⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe111⤵PID:2720
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe112⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe113⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe116⤵PID:996
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe119⤵
- Modifies registry class
PID:740 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe120⤵PID:2096
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe121⤵PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-