Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 15:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
28d08b43f7b97d85368ebc9bd2afa960
-
SHA1
009cab2e1191631499c6b5c023dda8e35de05004
-
SHA256
9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6
-
SHA512
a1ede37e24d0d7cee31294998f517f8cb2f82197e19cc14a4a11c051fa0019f825117735b5f436535cc803f090ca3e172272b8f87bc29528f9080806529b34a9
-
SSDEEP
6144:RjCKr2n0MCRqJ++6yYEwPJ2kEe16L9Jww61EvBqc:/+6CwUkEoILTAc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epfhbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbpmapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igchlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkccpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaqcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjobffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnoogbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fadminnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkephn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faigdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgafdfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdddm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1736 Laplei32.exe 2604 Lhjdbcef.exe 2688 Maphdl32.exe 2500 Mhnjle32.exe 2708 Mkmfhacp.exe 2584 Nocemcbj.exe 2252 Ofbfdmeb.exe 1572 Ocomlemo.exe 1956 Ondajnme.exe 2156 Ogmfbd32.exe 1960 Paejki32.exe 1908 Pgobhcac.exe 1616 Pipopl32.exe 2084 Paggai32.exe 1792 Pcfcmd32.exe 536 Pjpkjond.exe 1468 Ppmdbe32.exe 1068 Pfflopdh.exe 1072 Piehkkcl.exe 2704 Pbmmcq32.exe 2424 Plfamfpm.exe 2384 Penfelgm.exe 660 Qnfjna32.exe 2980 Qaefjm32.exe 1292 Qdccfh32.exe 1732 Qjmkcbcb.exe 2908 Qmlgonbe.exe 1700 Adeplhib.exe 2948 Afdlhchf.exe 2572 Aajpelhl.exe 2220 Affhncfc.exe 2616 Apomfh32.exe 2728 Afiecb32.exe 2516 Aigaon32.exe 2924 Alenki32.exe 2792 Abpfhcje.exe 2532 Aenbdoii.exe 1308 Alhjai32.exe 1636 Aoffmd32.exe 1676 Afmonbqk.exe 1140 Ailkjmpo.exe 344 Aljgfioc.exe 3032 Boiccdnf.exe 952 Bebkpn32.exe 340 Blmdlhmp.exe 624 Bokphdld.exe 1300 Baildokg.exe 1592 Bdhhqk32.exe 2996 Bloqah32.exe 2724 Bommnc32.exe 2460 Begeknan.exe 2468 Bdjefj32.exe 284 Bkdmcdoe.exe 1476 Banepo32.exe 2940 Bdlblj32.exe 572 Bkfjhd32.exe 2004 Bnefdp32.exe 1904 Bdooajdc.exe 1004 Ckignd32.exe 2332 Cljcelan.exe 3040 Cdakgibq.exe 2852 Cfbhnaho.exe 2180 Cnippoha.exe 760 Coklgg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 1736 Laplei32.exe 1736 Laplei32.exe 2604 Lhjdbcef.exe 2604 Lhjdbcef.exe 2688 Maphdl32.exe 2688 Maphdl32.exe 2500 Mhnjle32.exe 2500 Mhnjle32.exe 2708 Mkmfhacp.exe 2708 Mkmfhacp.exe 2584 Nocemcbj.exe 2584 Nocemcbj.exe 2252 Ofbfdmeb.exe 2252 Ofbfdmeb.exe 1572 Ocomlemo.exe 1572 Ocomlemo.exe 1956 Ondajnme.exe 1956 Ondajnme.exe 2156 Ogmfbd32.exe 2156 Ogmfbd32.exe 1960 Paejki32.exe 1960 Paejki32.exe 1908 Pgobhcac.exe 1908 Pgobhcac.exe 1616 Pipopl32.exe 1616 Pipopl32.exe 2084 Paggai32.exe 2084 Paggai32.exe 1792 Pcfcmd32.exe 1792 Pcfcmd32.exe 536 Pjpkjond.exe 536 Pjpkjond.exe 1468 Ppmdbe32.exe 1468 Ppmdbe32.exe 1068 Pfflopdh.exe 1068 Pfflopdh.exe 1072 Piehkkcl.exe 1072 Piehkkcl.exe 2704 Pbmmcq32.exe 2704 Pbmmcq32.exe 2424 Plfamfpm.exe 2424 Plfamfpm.exe 2384 Penfelgm.exe 2384 Penfelgm.exe 660 Qnfjna32.exe 660 Qnfjna32.exe 2980 Qaefjm32.exe 2980 Qaefjm32.exe 1292 Qdccfh32.exe 1292 Qdccfh32.exe 1732 Qjmkcbcb.exe 1732 Qjmkcbcb.exe 2908 Qmlgonbe.exe 2908 Qmlgonbe.exe 1700 Adeplhib.exe 1700 Adeplhib.exe 2948 Afdlhchf.exe 2948 Afdlhchf.exe 2572 Aajpelhl.exe 2572 Aajpelhl.exe 2220 Affhncfc.exe 2220 Affhncfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jfknbe32.exe Jcmafj32.exe File created C:\Windows\SysWOW64\Mhiaka32.dll Gepafc32.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Qmicohqm.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Fmpkjkma.exe Fjaonpnn.exe File opened for modification C:\Windows\SysWOW64\Jabbhcfe.exe Jocflgga.exe File created C:\Windows\SysWOW64\Bhfnge32.dll Gjjmijme.exe File created C:\Windows\SysWOW64\Gdhclbka.dll Jhdlad32.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Ckggkg32.dll Qjmkcbcb.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Bgdibkam.exe Biaign32.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kgcpjmcb.exe File created C:\Windows\SysWOW64\Hqddgc32.dll Aajpelhl.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Coelaaoi.exe File created C:\Windows\SysWOW64\Gdniqh32.exe Glgaok32.exe File created C:\Windows\SysWOW64\Pohhna32.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Npfgpe32.exe File created C:\Windows\SysWOW64\Nhlhki32.dll Kgbggnhc.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Lndohedg.exe Lfmffhde.exe File created C:\Windows\SysWOW64\Famope32.exe Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Pkmlmbcd.exe Phnpagdp.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Alenki32.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Bdooajdc.exe File opened for modification C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Pflomnkb.exe Pcnbablo.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Fgldnkkf.exe File created C:\Windows\SysWOW64\Hmfjha32.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Mecbia32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Ibddljof.dll Lbiqfied.exe File opened for modification C:\Windows\SysWOW64\Kdnild32.exe Kekiphge.exe File created C:\Windows\SysWOW64\Dcmfoi32.dll Jnqphi32.exe File created C:\Windows\SysWOW64\Ldlimbcf.dll Kneicieh.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hhckpk32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Idkpganf.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File created C:\Windows\SysWOW64\Oekjjl32.exe Obmnna32.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jpbalb32.exe File created C:\Windows\SysWOW64\Gqpnhgek.dll Ofbfdmeb.exe File opened for modification C:\Windows\SysWOW64\Pipopl32.exe Pgobhcac.exe File opened for modification C:\Windows\SysWOW64\Iihiphln.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Fclomp32.dll Dgfjbgmh.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File opened for modification C:\Windows\SysWOW64\Amcbankf.exe Aihfap32.exe File created C:\Windows\SysWOW64\Cbdiia32.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Imdbjp32.dll Neiaeiii.exe File created C:\Windows\SysWOW64\Fnpnndgp.exe Fhffaj32.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Kkaiqk32.exe Kgemplap.exe File created C:\Windows\SysWOW64\Oiahfd32.dll Ailkjmpo.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Nhdkokpa.dll Gljnej32.exe File opened for modification C:\Windows\SysWOW64\Afjjed32.exe Ackmih32.exe File created C:\Windows\SysWOW64\Abpfhcje.exe Alenki32.exe File created C:\Windows\SysWOW64\Lollckbk.exe Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Qkffng32.exe Pldebkhj.exe File created C:\Windows\SysWOW64\Cbkipjbh.dll Iafnjg32.exe File opened for modification C:\Windows\SysWOW64\Afiecb32.exe Apomfh32.exe File created C:\Windows\SysWOW64\Mcaiqm32.dll Odobjg32.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Gfcnegnk.exe Gceailog.exe -
Program crash 1 IoCs
pid pid_target Process 5528 5708 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bbhela32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcegq32.dll" Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmji32.dll" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nameek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbgfkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmnbl32.dll" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmkloid.dll" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfebgn32.dll" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhlek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbid32.dll" Eeaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcfgc32.dll" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkipok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagcgibo.dll" Giieco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maphdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjpjgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnhng32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1736 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 28 PID 1276 wrote to memory of 1736 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 28 PID 1276 wrote to memory of 1736 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 28 PID 1276 wrote to memory of 1736 1276 9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe 28 PID 1736 wrote to memory of 2604 1736 Laplei32.exe 29 PID 1736 wrote to memory of 2604 1736 Laplei32.exe 29 PID 1736 wrote to memory of 2604 1736 Laplei32.exe 29 PID 1736 wrote to memory of 2604 1736 Laplei32.exe 29 PID 2604 wrote to memory of 2688 2604 Lhjdbcef.exe 30 PID 2604 wrote to memory of 2688 2604 Lhjdbcef.exe 30 PID 2604 wrote to memory of 2688 2604 Lhjdbcef.exe 30 PID 2604 wrote to memory of 2688 2604 Lhjdbcef.exe 30 PID 2688 wrote to memory of 2500 2688 Maphdl32.exe 31 PID 2688 wrote to memory of 2500 2688 Maphdl32.exe 31 PID 2688 wrote to memory of 2500 2688 Maphdl32.exe 31 PID 2688 wrote to memory of 2500 2688 Maphdl32.exe 31 PID 2500 wrote to memory of 2708 2500 Mhnjle32.exe 32 PID 2500 wrote to memory of 2708 2500 Mhnjle32.exe 32 PID 2500 wrote to memory of 2708 2500 Mhnjle32.exe 32 PID 2500 wrote to memory of 2708 2500 Mhnjle32.exe 32 PID 2708 wrote to memory of 2584 2708 Mkmfhacp.exe 33 PID 2708 wrote to memory of 2584 2708 Mkmfhacp.exe 33 PID 2708 wrote to memory of 2584 2708 Mkmfhacp.exe 33 PID 2708 wrote to memory of 2584 2708 Mkmfhacp.exe 33 PID 2584 wrote to memory of 2252 2584 Nocemcbj.exe 34 PID 2584 wrote to memory of 2252 2584 Nocemcbj.exe 34 PID 2584 wrote to memory of 2252 2584 Nocemcbj.exe 34 PID 2584 wrote to memory of 2252 2584 Nocemcbj.exe 34 PID 2252 wrote to memory of 1572 2252 Ofbfdmeb.exe 35 PID 2252 wrote to memory of 1572 2252 Ofbfdmeb.exe 35 PID 2252 wrote to memory of 1572 2252 Ofbfdmeb.exe 35 PID 2252 wrote to memory of 1572 2252 Ofbfdmeb.exe 35 PID 1572 wrote to memory of 1956 1572 Ocomlemo.exe 36 PID 1572 wrote to memory of 1956 1572 Ocomlemo.exe 36 PID 1572 wrote to memory of 1956 1572 Ocomlemo.exe 36 PID 1572 wrote to memory of 1956 1572 Ocomlemo.exe 36 PID 1956 wrote to memory of 2156 1956 Ondajnme.exe 37 PID 1956 wrote to memory of 2156 1956 Ondajnme.exe 37 PID 1956 wrote to memory of 2156 1956 Ondajnme.exe 37 PID 1956 wrote to memory of 2156 1956 Ondajnme.exe 37 PID 2156 wrote to memory of 1960 2156 Ogmfbd32.exe 609 PID 2156 wrote to memory of 1960 2156 Ogmfbd32.exe 609 PID 2156 wrote to memory of 1960 2156 Ogmfbd32.exe 609 PID 2156 wrote to memory of 1960 2156 Ogmfbd32.exe 609 PID 1960 wrote to memory of 1908 1960 Paejki32.exe 39 PID 1960 wrote to memory of 1908 1960 Paejki32.exe 39 PID 1960 wrote to memory of 1908 1960 Paejki32.exe 39 PID 1960 wrote to memory of 1908 1960 Paejki32.exe 39 PID 1908 wrote to memory of 1616 1908 Pgobhcac.exe 40 PID 1908 wrote to memory of 1616 1908 Pgobhcac.exe 40 PID 1908 wrote to memory of 1616 1908 Pgobhcac.exe 40 PID 1908 wrote to memory of 1616 1908 Pgobhcac.exe 40 PID 1616 wrote to memory of 2084 1616 Pipopl32.exe 41 PID 1616 wrote to memory of 2084 1616 Pipopl32.exe 41 PID 1616 wrote to memory of 2084 1616 Pipopl32.exe 41 PID 1616 wrote to memory of 2084 1616 Pipopl32.exe 41 PID 2084 wrote to memory of 1792 2084 Paggai32.exe 42 PID 2084 wrote to memory of 1792 2084 Paggai32.exe 42 PID 2084 wrote to memory of 1792 2084 Paggai32.exe 42 PID 2084 wrote to memory of 1792 2084 Paggai32.exe 42 PID 1792 wrote to memory of 536 1792 Pcfcmd32.exe 43 PID 1792 wrote to memory of 536 1792 Pcfcmd32.exe 43 PID 1792 wrote to memory of 536 1792 Pcfcmd32.exe 43 PID 1792 wrote to memory of 536 1792 Pcfcmd32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9e0ceb035df2af6fff60d88e4de38f9fcbbc09ed65171c2d3cea7dc85a5669f6_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe34⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe35⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe38⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe39⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe40⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe43⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe44⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe46⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe47⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe48⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe51⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe53⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe54⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe55⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe56⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe57⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe60⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe61⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe64⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe65⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe66⤵PID:1112
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe67⤵PID:3096
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe68⤵PID:3156
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe69⤵PID:3220
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe71⤵PID:3356
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe72⤵PID:3420
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe73⤵PID:3476
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe74⤵PID:3532
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe75⤵PID:3592
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe76⤵PID:3652
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe77⤵PID:3704
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe78⤵
- Drops file in System32 directory
PID:3764 -
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe79⤵PID:3824
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe80⤵
- Modifies registry class
PID:3880 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3928 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe82⤵PID:3996
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe83⤵PID:4052
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe84⤵PID:2228
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe85⤵PID:328
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe86⤵PID:1332
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe87⤵PID:560
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe88⤵PID:2956
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe90⤵PID:2536
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe91⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe93⤵PID:3104
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe94⤵PID:3184
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe95⤵PID:3240
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3332 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe97⤵
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe99⤵PID:3496
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe100⤵PID:3564
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe101⤵PID:3624
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe102⤵PID:2452
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe103⤵PID:3720
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe104⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe105⤵
- Drops file in System32 directory
PID:3848 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe106⤵PID:3912
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe107⤵PID:3936
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe108⤵PID:3992
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe109⤵PID:4072
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe110⤵PID:2860
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe111⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe112⤵PID:2184
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe114⤵
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe115⤵PID:2744
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe117⤵PID:1420
-
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe118⤵PID:2144
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe119⤵PID:1952
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe120⤵PID:2124
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe121⤵PID:3296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-