Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 13:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe
-
Size
1024KB
-
MD5
be8d67eea07cd7293eaf7b474b36ca40
-
SHA1
63a8f96b94e5e8efafe08295045b9aa5b3c74adb
-
SHA256
ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079
-
SHA512
f41e5a893cc86b0463cd6c82da893ea417d396d298f9248566f5d316bc992a0cf22ab9036e09a1eaa0bd2fd56a2c05e85025ed9d939a29826b4d7f80621caca4
-
SSDEEP
24576:Nkfm0BmmvFimm0Xcr6VDsEqacjgqANXcolMZ5nNxvM0oL8v8WQ:NWiTWVDBzcjgBNXcolMZ5nNxvM0oLoQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklmgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bommnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pipopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fadminnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjdjmfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebodiofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmeimhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomjlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hipkdnmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Melfncqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbhnhp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2032 Ocajbekl.exe 2524 Pipopl32.exe 2512 Piblek32.exe 2640 Ppoqge32.exe 2496 Ppamme32.exe 2552 Qaefjm32.exe 1768 Afdlhchf.exe 1628 Affhncfc.exe 2564 Ampqjm32.exe 2292 Apcfahio.exe 1840 Bpfcgg32.exe 1604 Bommnc32.exe 1948 Bdjefj32.exe 2676 Cngcjo32.exe 324 Cphlljge.exe 1516 Comimg32.exe 1252 Ckdjbh32.exe 2824 Cfinoq32.exe 2352 Chhjkl32.exe 3036 Ddokpmfo.exe 1988 Dgmglh32.exe 2976 Dgodbh32.exe 664 Djnpnc32.exe 2000 Ddcdkl32.exe 984 Dgaqgh32.exe 900 Ddeaalpg.exe 2464 Dchali32.exe 2868 Dgdmmgpj.exe 2016 Dnneja32.exe 2712 Dcknbh32.exe 1352 Djefobmk.exe 2096 Eqonkmdh.exe 2400 Ebpkce32.exe 2980 Eflgccbp.exe 1020 Ekholjqg.exe 1576 Efncicpm.exe 2692 Eilpeooq.exe 1648 Ekklaj32.exe 1828 Ebgacddo.exe 1720 Eeempocb.exe 2944 Ejbfhfaj.exe 2364 Ealnephf.exe 676 Flabbihl.exe 1404 Fmcoja32.exe 2144 Fcmgfkeg.exe 1708 Ffkcbgek.exe 652 Fnbkddem.exe 1540 Faagpp32.exe 1812 Fhkpmjln.exe 2940 Fjilieka.exe 1556 Fmhheqje.exe 2468 Fdapak32.exe 2696 Fjlhneio.exe 2652 Fmjejphb.exe 2628 Fbgmbg32.exe 2408 Fmlapp32.exe 2448 Gonnhhln.exe 852 Gegfdb32.exe 2532 Ghfbqn32.exe 1712 Gopkmhjk.exe 1624 Gbkgnfbd.exe 304 Ghhofmql.exe 2904 Gbnccfpb.exe 2368 Gdopkn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 2032 Ocajbekl.exe 2032 Ocajbekl.exe 2524 Pipopl32.exe 2524 Pipopl32.exe 2512 Piblek32.exe 2512 Piblek32.exe 2640 Ppoqge32.exe 2640 Ppoqge32.exe 2496 Ppamme32.exe 2496 Ppamme32.exe 2552 Qaefjm32.exe 2552 Qaefjm32.exe 1768 Afdlhchf.exe 1768 Afdlhchf.exe 1628 Affhncfc.exe 1628 Affhncfc.exe 2564 Ampqjm32.exe 2564 Ampqjm32.exe 2292 Apcfahio.exe 2292 Apcfahio.exe 1840 Bpfcgg32.exe 1840 Bpfcgg32.exe 1604 Bommnc32.exe 1604 Bommnc32.exe 1948 Bdjefj32.exe 1948 Bdjefj32.exe 2676 Cngcjo32.exe 2676 Cngcjo32.exe 324 Cphlljge.exe 324 Cphlljge.exe 1516 Comimg32.exe 1516 Comimg32.exe 1252 Ckdjbh32.exe 1252 Ckdjbh32.exe 2824 Cfinoq32.exe 2824 Cfinoq32.exe 2352 Chhjkl32.exe 2352 Chhjkl32.exe 3036 Ddokpmfo.exe 3036 Ddokpmfo.exe 1988 Dgmglh32.exe 1988 Dgmglh32.exe 2976 Dgodbh32.exe 2976 Dgodbh32.exe 664 Djnpnc32.exe 664 Djnpnc32.exe 2000 Ddcdkl32.exe 2000 Ddcdkl32.exe 984 Dgaqgh32.exe 984 Dgaqgh32.exe 900 Ddeaalpg.exe 900 Ddeaalpg.exe 2464 Dchali32.exe 2464 Dchali32.exe 2868 Dgdmmgpj.exe 2868 Dgdmmgpj.exe 2016 Dnneja32.exe 2016 Dnneja32.exe 2712 Dcknbh32.exe 2712 Dcknbh32.exe 1352 Djefobmk.exe 1352 Djefobmk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhohda32.exe Nilhhdga.exe File created C:\Windows\SysWOW64\Gioicn32.dll Ajecmj32.exe File created C:\Windows\SysWOW64\Ekelld32.exe Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Libicbma.exe Lbiqfied.exe File opened for modification C:\Windows\SysWOW64\Nilhhdga.exe Nofdklgl.exe File created C:\Windows\SysWOW64\Ocajbekl.exe ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Obafnlpn.exe Okgnab32.exe File created C:\Windows\SysWOW64\Ilpedi32.dll Bhkdeggl.exe File created C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Lgjfkk32.exe Lcojjmea.exe File opened for modification C:\Windows\SysWOW64\Nibebfpl.exe Mpjqiq32.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Ndjfeo32.exe File created C:\Windows\SysWOW64\Nofdklgl.exe Npccpo32.exe File opened for modification C:\Windows\SysWOW64\Piblek32.exe Pipopl32.exe File created C:\Windows\SysWOW64\Cddfocpb.dll Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Fjongcbl.exe Fllnlg32.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Eqonkmdh.exe Djefobmk.exe File created C:\Windows\SysWOW64\Echfaf32.exe Emnndlod.exe File created C:\Windows\SysWOW64\Ghmnek32.dll Acfaeq32.exe File opened for modification C:\Windows\SysWOW64\Hahjpbad.exe Hiqbndpb.exe File opened for modification C:\Windows\SysWOW64\Jcdbbloa.exe Jfqahgpg.exe File opened for modification C:\Windows\SysWOW64\Labkdack.exe Lmgocb32.exe File created C:\Windows\SysWOW64\Ppamme32.exe Ppoqge32.exe File created C:\Windows\SysWOW64\Ongdpbkl.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Cekkkkhe.dll Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Dcenlceh.exe Dfamcogo.exe File opened for modification C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Ehdqecfo.dll Gbaileio.exe File created C:\Windows\SysWOW64\Jgidao32.exe Jbllihbf.exe File opened for modification C:\Windows\SysWOW64\Pkndaa32.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Pnomcl32.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bbdallnd.exe File created C:\Windows\SysWOW64\Eiemmk32.dll Jhljdm32.exe File opened for modification C:\Windows\SysWOW64\Mpjqiq32.exe Magqncba.exe File created C:\Windows\SysWOW64\Aobcmana.dll Pfikmh32.exe File created C:\Windows\SysWOW64\Nldodg32.dll Meppiblm.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Pndpajgd.exe File created C:\Windows\SysWOW64\Hppiecpn.dll Ckdjbh32.exe File created C:\Windows\SysWOW64\Mmceigep.exe Mkeimlfm.exe File opened for modification C:\Windows\SysWOW64\Kmgbdo32.exe Kconkibf.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Lanaiahq.exe Knpemf32.exe File opened for modification C:\Windows\SysWOW64\Pmagdbci.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Kgoboqcm.dll Nceclqan.exe File created C:\Windows\SysWOW64\Dfamcogo.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Emnndlod.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Fjilieka.exe Fhkpmjln.exe File created C:\Windows\SysWOW64\Jbnhng32.exe Joplbl32.exe File opened for modification C:\Windows\SysWOW64\Hoopae32.exe Hkcdafqb.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Mehjml32.dll Ngkogj32.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Nkeelohh.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Jndkpj32.dll Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Jbgkcb32.exe Jgagfi32.exe File created C:\Windows\SysWOW64\Mlaeonld.exe Libicbma.exe File created C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5016 4928 WerFault.exe 446 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeabq32.dll" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dchali32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnnp32.dll" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooeggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhejlj.dll" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll" Pndpajgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll" Cklmgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmagdbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll" Afgkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpfqama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifnmmhq.dll" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepch32.dll" Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll" Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleofcd.dll" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnimnfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmoado32.dll" Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immfnjan.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdkmeh32.dll" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpbahga.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppmppld.dll" Mgnfhlin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afcenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll" Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lckdanld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2032 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2032 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2032 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2032 2072 ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2524 2032 Ocajbekl.exe 29 PID 2032 wrote to memory of 2524 2032 Ocajbekl.exe 29 PID 2032 wrote to memory of 2524 2032 Ocajbekl.exe 29 PID 2032 wrote to memory of 2524 2032 Ocajbekl.exe 29 PID 2524 wrote to memory of 2512 2524 Pipopl32.exe 30 PID 2524 wrote to memory of 2512 2524 Pipopl32.exe 30 PID 2524 wrote to memory of 2512 2524 Pipopl32.exe 30 PID 2524 wrote to memory of 2512 2524 Pipopl32.exe 30 PID 2512 wrote to memory of 2640 2512 Piblek32.exe 31 PID 2512 wrote to memory of 2640 2512 Piblek32.exe 31 PID 2512 wrote to memory of 2640 2512 Piblek32.exe 31 PID 2512 wrote to memory of 2640 2512 Piblek32.exe 31 PID 2640 wrote to memory of 2496 2640 Ppoqge32.exe 32 PID 2640 wrote to memory of 2496 2640 Ppoqge32.exe 32 PID 2640 wrote to memory of 2496 2640 Ppoqge32.exe 32 PID 2640 wrote to memory of 2496 2640 Ppoqge32.exe 32 PID 2496 wrote to memory of 2552 2496 Ppamme32.exe 33 PID 2496 wrote to memory of 2552 2496 Ppamme32.exe 33 PID 2496 wrote to memory of 2552 2496 Ppamme32.exe 33 PID 2496 wrote to memory of 2552 2496 Ppamme32.exe 33 PID 2552 wrote to memory of 1768 2552 Qaefjm32.exe 34 PID 2552 wrote to memory of 1768 2552 Qaefjm32.exe 34 PID 2552 wrote to memory of 1768 2552 Qaefjm32.exe 34 PID 2552 wrote to memory of 1768 2552 Qaefjm32.exe 34 PID 1768 wrote to memory of 1628 1768 Afdlhchf.exe 35 PID 1768 wrote to memory of 1628 1768 Afdlhchf.exe 35 PID 1768 wrote to memory of 1628 1768 Afdlhchf.exe 35 PID 1768 wrote to memory of 1628 1768 Afdlhchf.exe 35 PID 1628 wrote to memory of 2564 1628 Affhncfc.exe 36 PID 1628 wrote to memory of 2564 1628 Affhncfc.exe 36 PID 1628 wrote to memory of 2564 1628 Affhncfc.exe 36 PID 1628 wrote to memory of 2564 1628 Affhncfc.exe 36 PID 2564 wrote to memory of 2292 2564 Ampqjm32.exe 37 PID 2564 wrote to memory of 2292 2564 Ampqjm32.exe 37 PID 2564 wrote to memory of 2292 2564 Ampqjm32.exe 37 PID 2564 wrote to memory of 2292 2564 Ampqjm32.exe 37 PID 2292 wrote to memory of 1840 2292 Apcfahio.exe 38 PID 2292 wrote to memory of 1840 2292 Apcfahio.exe 38 PID 2292 wrote to memory of 1840 2292 Apcfahio.exe 38 PID 2292 wrote to memory of 1840 2292 Apcfahio.exe 38 PID 1840 wrote to memory of 1604 1840 Bpfcgg32.exe 39 PID 1840 wrote to memory of 1604 1840 Bpfcgg32.exe 39 PID 1840 wrote to memory of 1604 1840 Bpfcgg32.exe 39 PID 1840 wrote to memory of 1604 1840 Bpfcgg32.exe 39 PID 1604 wrote to memory of 1948 1604 Bommnc32.exe 40 PID 1604 wrote to memory of 1948 1604 Bommnc32.exe 40 PID 1604 wrote to memory of 1948 1604 Bommnc32.exe 40 PID 1604 wrote to memory of 1948 1604 Bommnc32.exe 40 PID 1948 wrote to memory of 2676 1948 Bdjefj32.exe 41 PID 1948 wrote to memory of 2676 1948 Bdjefj32.exe 41 PID 1948 wrote to memory of 2676 1948 Bdjefj32.exe 41 PID 1948 wrote to memory of 2676 1948 Bdjefj32.exe 41 PID 2676 wrote to memory of 324 2676 Cngcjo32.exe 42 PID 2676 wrote to memory of 324 2676 Cngcjo32.exe 42 PID 2676 wrote to memory of 324 2676 Cngcjo32.exe 42 PID 2676 wrote to memory of 324 2676 Cngcjo32.exe 42 PID 324 wrote to memory of 1516 324 Cphlljge.exe 43 PID 324 wrote to memory of 1516 324 Cphlljge.exe 43 PID 324 wrote to memory of 1516 324 Cphlljge.exe 43 PID 324 wrote to memory of 1516 324 Cphlljge.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ae2d7581a5768c916925d9ba05af7aef48d7f6709f87ad5f0f3302858a021079_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe33⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe38⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe39⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe40⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe41⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe45⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe47⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe51⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe52⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe54⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe56⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe57⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe58⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe59⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe60⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe63⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe64⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe66⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe68⤵PID:456
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe69⤵PID:2908
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe70⤵PID:956
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe71⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe74⤵PID:1780
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe76⤵PID:3020
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe78⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe79⤵PID:2648
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe80⤵PID:2372
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe81⤵PID:768
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe82⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe83⤵PID:1816
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe84⤵PID:2132
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe85⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe86⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe88⤵PID:1884
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe89⤵PID:2024
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe90⤵PID:1000
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe91⤵PID:2584
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe92⤵PID:1752
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe94⤵PID:2332
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe95⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe96⤵PID:2680
-
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe97⤵PID:804
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe98⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe99⤵PID:1824
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe100⤵PID:2124
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe101⤵PID:332
-
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe102⤵PID:636
-
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe103⤵PID:3044
-
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe104⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe105⤵PID:2488
-
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe107⤵PID:2440
-
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe108⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe110⤵PID:2936
-
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe111⤵PID:1776
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe112⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe113⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe114⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe115⤵PID:1600
-
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe116⤵PID:1400
-
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe118⤵PID:2968
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe119⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe120⤵PID:2520
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe121⤵PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-