Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe
-
Size
45KB
-
MD5
764de14be4cfc8b8d872f4004c6a1aa0
-
SHA1
8149d4fb5de8269f3eb8001f4cc2da379165e75b
-
SHA256
0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224
-
SHA512
11ac99f485cd1d4221ce9a8412fca438123f67e94344c3fc82fa368a674a58c2c5fdf07c6035c0881c0dbcdbd17d8cfce2a06dfa7d01580e0696d673fed12390
-
SSDEEP
768:9b14K41xFvbNNvg0IGCYUtTWw8VlrzkfJ4IZn8tspiZno/1H5M:9hHqvvbNHr1Uz8VZzkfuvuS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mponel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjdacik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkocg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccjdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplfdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciagojda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejphiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldhdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcpfedki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijgml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgflflqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgafadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odebolpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpiedieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcccpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocmadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkhngdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqnbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojglhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklnff32.exe -
Executes dropped EXE 64 IoCs
pid Process 2416 Fhqbkhch.exe 3064 Gffoldhp.exe 2752 Gjdhbc32.exe 2468 Gdllkhdg.exe 2424 Glgaok32.exe 2476 Gpejeihi.exe 2732 Ghqnjk32.exe 568 Hhckpk32.exe 2676 Hlqdei32.exe 2036 Hgjefg32.exe 1896 Hmdmcanc.exe 328 Hkhnle32.exe 1972 Igonafba.exe 1632 Ipgbjl32.exe 2824 Igchlf32.exe 3024 Ipllekdl.exe 652 Ilcmjl32.exe 1556 Icmegf32.exe 2284 Jocflgga.exe 2904 Jgojpjem.exe 1224 Jqgoiokm.exe 1960 Jkmcfhkc.exe 908 Jnkpbcjg.exe 2400 Jnmlhchd.exe 2164 Jcjdpj32.exe 3052 Jmbiipml.exe 1136 Jghmfhmb.exe 2064 Kconkibf.exe 2144 Kincipnk.exe 2712 Kohkfj32.exe 2616 Kiqpop32.exe 3060 Kegqdqbl.exe 2728 Kbkameaf.exe 2536 Lmebnb32.exe 2444 Ljibgg32.exe 1880 Lfpclh32.exe 928 Lphhenhc.exe 2672 Lpjdjmfp.exe 1404 Mbkmlh32.exe 560 Mponel32.exe 808 Migbnb32.exe 3048 Mbpgggol.exe 2548 Meppiblm.exe 1420 Mmldme32.exe 3036 Nljddpfe.exe 436 Oebimf32.exe 1748 Ookmfk32.exe 1492 Oegbheiq.exe 2396 Oancnfoe.exe 856 Ohhkjp32.exe 2180 Okfgfl32.exe 624 Odoloalf.exe 1936 Pkidlk32.exe 2896 Pngphgbf.exe 2552 Pgpeal32.exe 2748 Pnimnfpc.exe 2740 Pgbafl32.exe 2488 Picnndmb.exe 2580 Pcibkm32.exe 2960 Pjbjhgde.exe 2520 Poocpnbm.exe 2792 Pbnoliap.exe 1712 Pihgic32.exe 1460 Qbplbi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 2416 Fhqbkhch.exe 2416 Fhqbkhch.exe 3064 Gffoldhp.exe 3064 Gffoldhp.exe 2752 Gjdhbc32.exe 2752 Gjdhbc32.exe 2468 Gdllkhdg.exe 2468 Gdllkhdg.exe 2424 Glgaok32.exe 2424 Glgaok32.exe 2476 Gpejeihi.exe 2476 Gpejeihi.exe 2732 Ghqnjk32.exe 2732 Ghqnjk32.exe 568 Hhckpk32.exe 568 Hhckpk32.exe 2676 Hlqdei32.exe 2676 Hlqdei32.exe 2036 Hgjefg32.exe 2036 Hgjefg32.exe 1896 Hmdmcanc.exe 1896 Hmdmcanc.exe 328 Hkhnle32.exe 328 Hkhnle32.exe 1972 Igonafba.exe 1972 Igonafba.exe 1632 Ipgbjl32.exe 1632 Ipgbjl32.exe 2824 Igchlf32.exe 2824 Igchlf32.exe 3024 Ipllekdl.exe 3024 Ipllekdl.exe 652 Ilcmjl32.exe 652 Ilcmjl32.exe 1556 Icmegf32.exe 1556 Icmegf32.exe 2284 Jocflgga.exe 2284 Jocflgga.exe 2904 Jgojpjem.exe 2904 Jgojpjem.exe 1224 Jqgoiokm.exe 1224 Jqgoiokm.exe 1960 Jkmcfhkc.exe 1960 Jkmcfhkc.exe 908 Jnkpbcjg.exe 908 Jnkpbcjg.exe 2400 Jnmlhchd.exe 2400 Jnmlhchd.exe 2164 Jcjdpj32.exe 2164 Jcjdpj32.exe 3052 Jmbiipml.exe 3052 Jmbiipml.exe 1136 Jghmfhmb.exe 1136 Jghmfhmb.exe 2064 Kconkibf.exe 2064 Kconkibf.exe 2144 Kincipnk.exe 2144 Kincipnk.exe 2712 Kohkfj32.exe 2712 Kohkfj32.exe 2616 Kiqpop32.exe 2616 Kiqpop32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehkhaqpk.exe Ecnoijbd.exe File opened for modification C:\Windows\SysWOW64\Golbnm32.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Dcjkhi32.dll Foahmh32.exe File created C:\Windows\SysWOW64\Bhonjg32.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Lmpgcm32.dll Oebimf32.exe File created C:\Windows\SysWOW64\Poocpnbm.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Ehakigbo.exe Ebgclm32.exe File created C:\Windows\SysWOW64\Nfamoi32.dll Djgkii32.exe File opened for modification C:\Windows\SysWOW64\Oidiekdn.exe Odgamdef.exe File created C:\Windows\SysWOW64\Dociji32.dll Ohbikbkb.exe File created C:\Windows\SysWOW64\Bedolome.dll Jcjdpj32.exe File opened for modification C:\Windows\SysWOW64\Fqomci32.exe Fjeefofk.exe File created C:\Windows\SysWOW64\Popnbp32.dll Elldgehk.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Ibejdjln.exe File created C:\Windows\SysWOW64\Hgojdj32.dll Ghofam32.exe File created C:\Windows\SysWOW64\Hmlkfo32.exe Hinbppna.exe File created C:\Windows\SysWOW64\Nblpfepo.exe Nkegeg32.exe File opened for modification C:\Windows\SysWOW64\Opplolac.exe Oifdbb32.exe File created C:\Windows\SysWOW64\Idgglb32.exe Ibejdjln.exe File created C:\Windows\SysWOW64\Jbhfdd32.dll Iknpkd32.exe File created C:\Windows\SysWOW64\Coalledf.dll Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Djgkii32.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Odecjfnl.dll Acicla32.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bnochnpm.exe File created C:\Windows\SysWOW64\Paenhpdh.dll Picnndmb.exe File opened for modification C:\Windows\SysWOW64\Fhgnge32.exe Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Hgflflqg.exe Hmlkfo32.exe File opened for modification C:\Windows\SysWOW64\Pgpgjepk.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Golbnm32.exe Gmmfaa32.exe File created C:\Windows\SysWOW64\Hgkfal32.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Hbnmienj.exe Hghillnd.exe File created C:\Windows\SysWOW64\Klihnmmj.dll Jfdhmk32.exe File created C:\Windows\SysWOW64\Mphaobfe.dll Ojeobm32.exe File created C:\Windows\SysWOW64\Bdkgocpm.exe Bbikgk32.exe File opened for modification C:\Windows\SysWOW64\Fofpoo32.exe Fdpkbf32.exe File created C:\Windows\SysWOW64\Lcomce32.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Fghiml32.dll Dgknkf32.exe File created C:\Windows\SysWOW64\Jqgoiokm.exe Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Kiqpop32.exe Kohkfj32.exe File created C:\Windows\SysWOW64\Dhfnel32.dll Kcamjb32.exe File opened for modification C:\Windows\SysWOW64\Emoldlmc.exe Efedga32.exe File created C:\Windows\SysWOW64\Jocflgga.exe Icmegf32.exe File created C:\Windows\SysWOW64\Pqgono32.dll Deollamj.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mnmpdlac.exe File created C:\Windows\SysWOW64\Qkkmqnck.exe Qbbhgi32.exe File created C:\Windows\SysWOW64\Deojci32.exe Dodafoni.exe File opened for modification C:\Windows\SysWOW64\Dbiocd32.exe Deenjpcd.exe File created C:\Windows\SysWOW64\Mchoid32.exe Mmogmjmn.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jmipdo32.exe File created C:\Windows\SysWOW64\Amnfnfgg.exe Aecaidjl.exe File opened for modification C:\Windows\SysWOW64\Oaffbqaa.exe Oklnff32.exe File created C:\Windows\SysWOW64\Bccjdnbi.exe Agljom32.exe File opened for modification C:\Windows\SysWOW64\Japciodd.exe Jfjolf32.exe File created C:\Windows\SysWOW64\Elcdcgcc.exe Egglkp32.exe File opened for modification C:\Windows\SysWOW64\Dlljaj32.exe Dfpaic32.exe File opened for modification C:\Windows\SysWOW64\Bhonjg32.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Jgifkl32.dll Oeaqig32.exe File created C:\Windows\SysWOW64\Cdmepgce.exe Cmfmojcb.exe File opened for modification C:\Windows\SysWOW64\Fmfnhj32.exe Fkdaqa32.exe File created C:\Windows\SysWOW64\Hqfaldbo.exe Hjlioj32.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Iliebpfc.exe File created C:\Windows\SysWOW64\Fkiolmdc.dll Fogibnha.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Mgdeifom.dll Danpemej.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3500 3372 WerFault.exe 763 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiljam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foahmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkhkgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdodbpja.dll" Mihdgkpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnpaigk.dll" Piabdiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhgbm32.dll" Pddnnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pbemboof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaincdp.dll" Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjipagod.dll" Einjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimbclh.dll" Ngpqfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqejbiim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkaehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okgjodmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnkffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbahid32.dll" Dfmeccao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feggob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegcbjkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldhjg32.dll" Hbkqdepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkfk32.dll" Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpbglhjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdkjmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gajqbakc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehjehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcibhnqq.dll" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhilkege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnhlbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikjhki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfkqifa.dll" Mpopnejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnpea32.dll" Gmmfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodafoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipmhc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2416 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2416 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2416 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2416 2192 0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 3064 2416 Fhqbkhch.exe 29 PID 2416 wrote to memory of 3064 2416 Fhqbkhch.exe 29 PID 2416 wrote to memory of 3064 2416 Fhqbkhch.exe 29 PID 2416 wrote to memory of 3064 2416 Fhqbkhch.exe 29 PID 3064 wrote to memory of 2752 3064 Gffoldhp.exe 30 PID 3064 wrote to memory of 2752 3064 Gffoldhp.exe 30 PID 3064 wrote to memory of 2752 3064 Gffoldhp.exe 30 PID 3064 wrote to memory of 2752 3064 Gffoldhp.exe 30 PID 2752 wrote to memory of 2468 2752 Gjdhbc32.exe 31 PID 2752 wrote to memory of 2468 2752 Gjdhbc32.exe 31 PID 2752 wrote to memory of 2468 2752 Gjdhbc32.exe 31 PID 2752 wrote to memory of 2468 2752 Gjdhbc32.exe 31 PID 2468 wrote to memory of 2424 2468 Gdllkhdg.exe 32 PID 2468 wrote to memory of 2424 2468 Gdllkhdg.exe 32 PID 2468 wrote to memory of 2424 2468 Gdllkhdg.exe 32 PID 2468 wrote to memory of 2424 2468 Gdllkhdg.exe 32 PID 2424 wrote to memory of 2476 2424 Glgaok32.exe 33 PID 2424 wrote to memory of 2476 2424 Glgaok32.exe 33 PID 2424 wrote to memory of 2476 2424 Glgaok32.exe 33 PID 2424 wrote to memory of 2476 2424 Glgaok32.exe 33 PID 2476 wrote to memory of 2732 2476 Gpejeihi.exe 34 PID 2476 wrote to memory of 2732 2476 Gpejeihi.exe 34 PID 2476 wrote to memory of 2732 2476 Gpejeihi.exe 34 PID 2476 wrote to memory of 2732 2476 Gpejeihi.exe 34 PID 2732 wrote to memory of 568 2732 Ghqnjk32.exe 35 PID 2732 wrote to memory of 568 2732 Ghqnjk32.exe 35 PID 2732 wrote to memory of 568 2732 Ghqnjk32.exe 35 PID 2732 wrote to memory of 568 2732 Ghqnjk32.exe 35 PID 568 wrote to memory of 2676 568 Hhckpk32.exe 36 PID 568 wrote to memory of 2676 568 Hhckpk32.exe 36 PID 568 wrote to memory of 2676 568 Hhckpk32.exe 36 PID 568 wrote to memory of 2676 568 Hhckpk32.exe 36 PID 2676 wrote to memory of 2036 2676 Hlqdei32.exe 37 PID 2676 wrote to memory of 2036 2676 Hlqdei32.exe 37 PID 2676 wrote to memory of 2036 2676 Hlqdei32.exe 37 PID 2676 wrote to memory of 2036 2676 Hlqdei32.exe 37 PID 2036 wrote to memory of 1896 2036 Hgjefg32.exe 38 PID 2036 wrote to memory of 1896 2036 Hgjefg32.exe 38 PID 2036 wrote to memory of 1896 2036 Hgjefg32.exe 38 PID 2036 wrote to memory of 1896 2036 Hgjefg32.exe 38 PID 1896 wrote to memory of 328 1896 Hmdmcanc.exe 39 PID 1896 wrote to memory of 328 1896 Hmdmcanc.exe 39 PID 1896 wrote to memory of 328 1896 Hmdmcanc.exe 39 PID 1896 wrote to memory of 328 1896 Hmdmcanc.exe 39 PID 328 wrote to memory of 1972 328 Hkhnle32.exe 40 PID 328 wrote to memory of 1972 328 Hkhnle32.exe 40 PID 328 wrote to memory of 1972 328 Hkhnle32.exe 40 PID 328 wrote to memory of 1972 328 Hkhnle32.exe 40 PID 1972 wrote to memory of 1632 1972 Igonafba.exe 41 PID 1972 wrote to memory of 1632 1972 Igonafba.exe 41 PID 1972 wrote to memory of 1632 1972 Igonafba.exe 41 PID 1972 wrote to memory of 1632 1972 Igonafba.exe 41 PID 1632 wrote to memory of 2824 1632 Ipgbjl32.exe 42 PID 1632 wrote to memory of 2824 1632 Ipgbjl32.exe 42 PID 1632 wrote to memory of 2824 1632 Ipgbjl32.exe 42 PID 1632 wrote to memory of 2824 1632 Ipgbjl32.exe 42 PID 2824 wrote to memory of 3024 2824 Igchlf32.exe 43 PID 2824 wrote to memory of 3024 2824 Igchlf32.exe 43 PID 2824 wrote to memory of 3024 2824 Igchlf32.exe 43 PID 2824 wrote to memory of 3024 2824 Igchlf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0a853de5d24e6e1f1fcce66c2d4af64c2df36d0c35ef3d731cc2c3fcf497e224_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe33⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe34⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe35⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe38⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe39⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe42⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe43⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe44⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe45⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe46⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe48⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe49⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe50⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe51⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe52⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe53⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe55⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe58⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Picnndmb.exeC:\Windows\system32\Picnndmb.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe60⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe62⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe63⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe64⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe65⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe66⤵PID:828
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1128 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe69⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe70⤵PID:2340
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe71⤵PID:388
-
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe72⤵PID:1836
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe73⤵PID:1828
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe74⤵PID:2384
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe75⤵PID:2980
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe76⤵PID:2964
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe80⤵PID:1432
-
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe81⤵PID:2000
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe82⤵PID:1912
-
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe83⤵PID:1588
-
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe85⤵PID:1164
-
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe86⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe87⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe88⤵PID:1812
-
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe89⤵PID:1560
-
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe90⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe91⤵PID:1116
-
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe92⤵PID:2156
-
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe93⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe94⤵PID:1716
-
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe95⤵PID:2764
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe96⤵PID:2464
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe97⤵PID:2848
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe98⤵PID:1124
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe99⤵PID:1356
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe100⤵PID:1696
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe101⤵PID:1684
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe102⤵PID:940
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe103⤵PID:1572
-
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe104⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe105⤵PID:1204
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe108⤵PID:3000
-
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe109⤵PID:1728
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe110⤵PID:2244
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe112⤵PID:2948
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe113⤵PID:2648
-
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe114⤵PID:1968
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe116⤵PID:2288
-
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe117⤵PID:2380
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe118⤵PID:1984
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe119⤵PID:1008
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe120⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe121⤵PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-