Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 03:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe
-
Size
256KB
-
MD5
53c6ff13e8f3d8a936cd44c222ef05e0
-
SHA1
8196495603fc4162daaf2d6d7fbe539f6e1e56f9
-
SHA256
76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866
-
SHA512
5b8d81b74ea250a5959af31558559ea78e66856656155574a2fa5d93bd76fa35281498ec383856ce188db2d85f6bbbe15d365e74c74ca7645c17d43bdfca664a
-
SSDEEP
6144:TkUI/zyyU8TLp103ETiZ0moGP/2dga1mcywM:y/mUpScXwuR1mKM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcnhjnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamimc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahikqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anafhopc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjnfniii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojahnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdllkhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnmlhchd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgdhjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjmbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckafbbph.exe -
Executes dropped EXE 64 IoCs
pid Process 2236 Hpmgqnfl.exe 2480 Hpocfncj.exe 2508 Hcplhi32.exe 2724 Icbimi32.exe 2376 Ifcbodli.exe 2932 Idhopq32.exe 2668 Ijgdngmf.exe 1012 Jiakjb32.exe 1740 Jbllihbf.exe 1668 Kjjmbj32.exe 1460 Kcbakpdo.exe 2148 Kjnfniii.exe 1264 Kcfkfo32.exe 2476 Kfgdhjmk.exe 2244 Lemaif32.exe 1664 Lliflp32.exe 1584 Lbcnhjnj.exe 1160 Lhbcfa32.exe 2096 Lkppbl32.exe 1704 Lajhofao.exe 2908 Monhhk32.exe 896 Mmceigep.exe 2828 Mpbaebdd.exe 2808 Mbpnanch.exe 2568 Mgnfhlin.exe 2916 Mlkopcge.exe 1380 Meccii32.exe 2912 Nefpnhlc.exe 2484 Nlphkb32.exe 2528 Namqci32.exe 2652 Noqamn32.exe 2540 Ndmjedoi.exe 2404 Naajoinb.exe 2424 Nhkbkc32.exe 1692 Ndbcpd32.exe 2712 Ogblbo32.exe 1748 Ojahnj32.exe 1732 Oonafa32.exe 1600 Ofhick32.exe 1416 Ombapedi.exe 1244 Ohibdf32.exe 848 Ocnfbo32.exe 2776 Okikfagn.exe 2232 Pdaoog32.exe 400 Piphee32.exe 2088 Pnlqnl32.exe 448 Pkpagq32.exe 2740 Pamiog32.exe 1520 Pjenhm32.exe 332 Pcnbablo.exe 2308 Pikkiijf.exe 1592 Qabcjgkh.exe 1900 Qjjgclai.exe 2256 Qlkdkd32.exe 1620 Qbelgood.exe 3016 Qedhdjnh.exe 2800 Apimacnn.exe 2980 Afcenm32.exe 2288 Alpmfdcb.exe 2392 Abjebn32.exe 1992 Aehboi32.exe 2564 Ahgnke32.exe 2756 Anafhopc.exe 1896 Aekodi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 2236 Hpmgqnfl.exe 2236 Hpmgqnfl.exe 2480 Hpocfncj.exe 2480 Hpocfncj.exe 2508 Hcplhi32.exe 2508 Hcplhi32.exe 2724 Icbimi32.exe 2724 Icbimi32.exe 2376 Ifcbodli.exe 2376 Ifcbodli.exe 2932 Idhopq32.exe 2932 Idhopq32.exe 2668 Ijgdngmf.exe 2668 Ijgdngmf.exe 1012 Jiakjb32.exe 1012 Jiakjb32.exe 1740 Jbllihbf.exe 1740 Jbllihbf.exe 1668 Kjjmbj32.exe 1668 Kjjmbj32.exe 1460 Kcbakpdo.exe 1460 Kcbakpdo.exe 2148 Kjnfniii.exe 2148 Kjnfniii.exe 1264 Kcfkfo32.exe 1264 Kcfkfo32.exe 2476 Kfgdhjmk.exe 2476 Kfgdhjmk.exe 2244 Lemaif32.exe 2244 Lemaif32.exe 1664 Lliflp32.exe 1664 Lliflp32.exe 1584 Lbcnhjnj.exe 1584 Lbcnhjnj.exe 1160 Lhbcfa32.exe 1160 Lhbcfa32.exe 2096 Lkppbl32.exe 2096 Lkppbl32.exe 1704 Lajhofao.exe 1704 Lajhofao.exe 2908 Monhhk32.exe 2908 Monhhk32.exe 896 Mmceigep.exe 896 Mmceigep.exe 2828 Mpbaebdd.exe 2828 Mpbaebdd.exe 2808 Mbpnanch.exe 2808 Mbpnanch.exe 2568 Mgnfhlin.exe 2568 Mgnfhlin.exe 2916 Mlkopcge.exe 2916 Mlkopcge.exe 1380 Meccii32.exe 1380 Meccii32.exe 2912 Nefpnhlc.exe 2912 Nefpnhlc.exe 2484 Nlphkb32.exe 2484 Nlphkb32.exe 2528 Namqci32.exe 2528 Namqci32.exe 2652 Noqamn32.exe 2652 Noqamn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gdjpeifj.exe Gpncej32.exe File created C:\Windows\SysWOW64\Opnelabi.dll Haiccald.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Lbcnhjnj.exe Lliflp32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gbaileio.exe File created C:\Windows\SysWOW64\Hloopaak.dll Kbfhbeek.exe File created C:\Windows\SysWOW64\Ogikcfnb.dll Lcagpl32.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jhngjmlo.exe File created C:\Windows\SysWOW64\Mlcbenjb.exe Mhhfdo32.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Abjebn32.exe File created C:\Windows\SysWOW64\Jjhhpp32.dll Cafecmlj.exe File created C:\Windows\SysWOW64\Gpncej32.exe Gjakmc32.exe File created C:\Windows\SysWOW64\Qjfhfnim.dll Kincipnk.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Idnaoohk.exe Iapebchh.exe File created C:\Windows\SysWOW64\Anafhopc.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bocolb32.exe File created C:\Windows\SysWOW64\Gdjpeifj.exe Gpncej32.exe File created C:\Windows\SysWOW64\Kjjmbj32.exe Jbllihbf.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Chpmpg32.exe File created C:\Windows\SysWOW64\Gfjhgdck.exe Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Iamimc32.exe Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Ocnfbo32.exe File opened for modification C:\Windows\SysWOW64\Febfomdd.exe Fbdjbaea.exe File created C:\Windows\SysWOW64\Lbadbn32.dll Ejkima32.exe File created C:\Windows\SysWOW64\Giegfm32.dll Kconkibf.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qjjgclai.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Edekcace.dll Dknekeef.exe File created C:\Windows\SysWOW64\Iedkbc32.exe Idcokkak.exe File created C:\Windows\SysWOW64\Iapebchh.exe Ikfmfi32.exe File created C:\Windows\SysWOW64\Qfgkcdoe.dll Jocflgga.exe File created C:\Windows\SysWOW64\Fbfqed32.dll Kfgdhjmk.exe File opened for modification C:\Windows\SysWOW64\Ohibdf32.exe Ombapedi.exe File opened for modification C:\Windows\SysWOW64\Ocnfbo32.exe Ohibdf32.exe File created C:\Windows\SysWOW64\Fljafg32.exe Fepiimfg.exe File created C:\Windows\SysWOW64\Gmdadnkh.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Apimacnn.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Dfoqmo32.exe File created C:\Windows\SysWOW64\Ggeiabkc.dll Ganpomec.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Njfppiho.dll Mlcbenjb.exe File created C:\Windows\SysWOW64\Gamgjj32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Jjdmmdnh.exe Jgfqaiod.exe File opened for modification C:\Windows\SysWOW64\Mdacop32.exe Mabgcd32.exe File opened for modification C:\Windows\SysWOW64\Ndbcpd32.exe Nhkbkc32.exe File created C:\Windows\SysWOW64\Fffdil32.dll Idcokkak.exe File created C:\Windows\SysWOW64\Jnicmdli.exe Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Mlfojn32.exe Melfncqb.exe File created C:\Windows\SysWOW64\Pdaoog32.exe Okikfagn.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Ccfcekqe.dll Jjpcbe32.exe File created C:\Windows\SysWOW64\Hnhijl32.dll Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Iapebchh.exe Ikfmfi32.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Lmgocb32.exe Lfmffhde.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Noqamn32.exe Namqci32.exe File opened for modification C:\Windows\SysWOW64\Noqamn32.exe Namqci32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4020 3960 WerFault.exe 284 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdcpnkh.dll" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclgfa32.dll" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coelaaoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijgdngmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll" Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbfbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dggcffhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpqdkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjjmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbcnhjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlcbenjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll" Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgggfhdc.dll" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjpeifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnbbbffj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll" Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lemaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcjcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeejnlhc.dll" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbghho.dll" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cpnojioo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2236 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 28 PID 2000 wrote to memory of 2236 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 28 PID 2000 wrote to memory of 2236 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 28 PID 2000 wrote to memory of 2236 2000 76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2480 2236 Hpmgqnfl.exe 29 PID 2236 wrote to memory of 2480 2236 Hpmgqnfl.exe 29 PID 2236 wrote to memory of 2480 2236 Hpmgqnfl.exe 29 PID 2236 wrote to memory of 2480 2236 Hpmgqnfl.exe 29 PID 2480 wrote to memory of 2508 2480 Hpocfncj.exe 30 PID 2480 wrote to memory of 2508 2480 Hpocfncj.exe 30 PID 2480 wrote to memory of 2508 2480 Hpocfncj.exe 30 PID 2480 wrote to memory of 2508 2480 Hpocfncj.exe 30 PID 2508 wrote to memory of 2724 2508 Hcplhi32.exe 31 PID 2508 wrote to memory of 2724 2508 Hcplhi32.exe 31 PID 2508 wrote to memory of 2724 2508 Hcplhi32.exe 31 PID 2508 wrote to memory of 2724 2508 Hcplhi32.exe 31 PID 2724 wrote to memory of 2376 2724 Icbimi32.exe 32 PID 2724 wrote to memory of 2376 2724 Icbimi32.exe 32 PID 2724 wrote to memory of 2376 2724 Icbimi32.exe 32 PID 2724 wrote to memory of 2376 2724 Icbimi32.exe 32 PID 2376 wrote to memory of 2932 2376 Ifcbodli.exe 33 PID 2376 wrote to memory of 2932 2376 Ifcbodli.exe 33 PID 2376 wrote to memory of 2932 2376 Ifcbodli.exe 33 PID 2376 wrote to memory of 2932 2376 Ifcbodli.exe 33 PID 2932 wrote to memory of 2668 2932 Idhopq32.exe 34 PID 2932 wrote to memory of 2668 2932 Idhopq32.exe 34 PID 2932 wrote to memory of 2668 2932 Idhopq32.exe 34 PID 2932 wrote to memory of 2668 2932 Idhopq32.exe 34 PID 2668 wrote to memory of 1012 2668 Ijgdngmf.exe 35 PID 2668 wrote to memory of 1012 2668 Ijgdngmf.exe 35 PID 2668 wrote to memory of 1012 2668 Ijgdngmf.exe 35 PID 2668 wrote to memory of 1012 2668 Ijgdngmf.exe 35 PID 1012 wrote to memory of 1740 1012 Jiakjb32.exe 36 PID 1012 wrote to memory of 1740 1012 Jiakjb32.exe 36 PID 1012 wrote to memory of 1740 1012 Jiakjb32.exe 36 PID 1012 wrote to memory of 1740 1012 Jiakjb32.exe 36 PID 1740 wrote to memory of 1668 1740 Jbllihbf.exe 37 PID 1740 wrote to memory of 1668 1740 Jbllihbf.exe 37 PID 1740 wrote to memory of 1668 1740 Jbllihbf.exe 37 PID 1740 wrote to memory of 1668 1740 Jbllihbf.exe 37 PID 1668 wrote to memory of 1460 1668 Kjjmbj32.exe 38 PID 1668 wrote to memory of 1460 1668 Kjjmbj32.exe 38 PID 1668 wrote to memory of 1460 1668 Kjjmbj32.exe 38 PID 1668 wrote to memory of 1460 1668 Kjjmbj32.exe 38 PID 1460 wrote to memory of 2148 1460 Kcbakpdo.exe 39 PID 1460 wrote to memory of 2148 1460 Kcbakpdo.exe 39 PID 1460 wrote to memory of 2148 1460 Kcbakpdo.exe 39 PID 1460 wrote to memory of 2148 1460 Kcbakpdo.exe 39 PID 2148 wrote to memory of 1264 2148 Kjnfniii.exe 40 PID 2148 wrote to memory of 1264 2148 Kjnfniii.exe 40 PID 2148 wrote to memory of 1264 2148 Kjnfniii.exe 40 PID 2148 wrote to memory of 1264 2148 Kjnfniii.exe 40 PID 1264 wrote to memory of 2476 1264 Kcfkfo32.exe 41 PID 1264 wrote to memory of 2476 1264 Kcfkfo32.exe 41 PID 1264 wrote to memory of 2476 1264 Kcfkfo32.exe 41 PID 1264 wrote to memory of 2476 1264 Kcfkfo32.exe 41 PID 2476 wrote to memory of 2244 2476 Kfgdhjmk.exe 42 PID 2476 wrote to memory of 2244 2476 Kfgdhjmk.exe 42 PID 2476 wrote to memory of 2244 2476 Kfgdhjmk.exe 42 PID 2476 wrote to memory of 2244 2476 Kfgdhjmk.exe 42 PID 2244 wrote to memory of 1664 2244 Lemaif32.exe 43 PID 2244 wrote to memory of 1664 2244 Lemaif32.exe 43 PID 2244 wrote to memory of 1664 2244 Lemaif32.exe 43 PID 2244 wrote to memory of 1664 2244 Lemaif32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\76808f337c512eb69fbf44e00d901df78421ea2a7fa4ae988ded61df5da7c866_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe33⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe37⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe39⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe49⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe52⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe53⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe58⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe59⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe62⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe68⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe70⤵PID:580
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe71⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe75⤵PID:1884
-
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe76⤵PID:2944
-
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe78⤵PID:2520
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe79⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe80⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe81⤵PID:2080
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe82⤵PID:1188
-
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe83⤵PID:292
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe84⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe87⤵PID:1944
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe89⤵PID:1008
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe90⤵PID:948
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe91⤵PID:1632
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe92⤵PID:1636
-
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe95⤵PID:2324
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe96⤵PID:2592
-
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe101⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe102⤵PID:860
-
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe103⤵PID:1536
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe104⤵PID:2696
-
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe105⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe106⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe107⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe109⤵PID:2216
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe111⤵PID:2252
-
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe113⤵PID:2784
-
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe114⤵PID:2536
-
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe116⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe117⤵PID:1580
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe118⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe119⤵PID:2200
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe121⤵PID:592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-