Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe
-
Size
256KB
-
MD5
37f5ab1d41d846954df70bb4e97a1da0
-
SHA1
2f786ebacdff49d48c49695a0dac7dac5673cdd9
-
SHA256
b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e
-
SHA512
e92683cca34f99e8f9c1e41da62061ae7dbb0d7e1496205975810243433ca64f14e3b155ba1c96be4510160b077a56b03757d54942a0d558815f6c766d92d4f5
-
SSDEEP
3072:JQkRk7I2wgJ4kWRfafD2mCUQ1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+j:xRdVe4kUafDiv1PY1PRe19V+j
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcaafk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdekbgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddjlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeoijidl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfnckhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baigca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medeaaej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnbkbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgogealf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okinik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jondnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjhmcok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfaifaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgigil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmobhmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccbbachm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chgnneiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfgnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heikgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmhglq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfebnoo.exe -
Executes dropped EXE 64 IoCs
pid Process 3024 Jqlhdo32.exe 2740 Jcmafj32.exe 2748 Kfmjgeaj.exe 2588 Kincipnk.exe 2448 Kegqdqbl.exe 1312 Leimip32.exe 580 Lmgocb32.exe 2804 Lfbpag32.exe 592 Mffimglk.exe 1964 Mkhofjoj.exe 1060 Mlhkpm32.exe 568 Mpjqiq32.exe 2568 Npojdpef.exe 1628 Nmbknddp.exe 2288 Ookmfk32.exe 2596 Okdkal32.exe 3052 Ogmhkmki.exe 2336 Pmjqcc32.exe 2124 Pcfefmnk.exe 1672 Piekcd32.exe 984 Pihgic32.exe 1244 Qflhbhgg.exe 316 Qbbhgi32.exe 960 Aecaidjl.exe 576 Annbhi32.exe 1300 Bfpnmj32.exe 1040 Bhfcpb32.exe 2800 Bejdiffp.exe 2704 Chkmkacq.exe 3036 Cbdnko32.exe 2644 Cddjebgb.exe 2280 Cgdcgm32.exe 2672 Ddomif32.exe 1996 Dacnbjml.exe 1052 Dgpfkakd.exe 784 Ddfcje32.exe 1064 Ddhpod32.exe 1788 Elfaifaq.exe 2004 Ebefgm32.exe 2192 Fnndan32.exe 948 Fkbdkb32.exe 940 Fcmiod32.exe 1636 Fgkbeb32.exe 1848 Fgnokb32.exe 1544 Fcdopc32.exe 912 Gbjlaplk.exe 3020 Gmoqnhla.exe 2120 Gejebk32.exe 2876 Gihniioc.exe 768 Gngcgp32.exe 904 Hfbhkb32.exe 2872 Hpkldg32.exe 1260 Hicqmmfc.exe 1360 Hbleeb32.exe 2104 Hbnbkbja.exe 2112 Hmcfhkjg.exe 2612 Hbqoqbho.exe 2772 Ipdojfgh.exe 2508 Ieagbm32.exe 2976 Iecdhm32.exe 472 Ioliqbjn.exe 388 Ikbifcpb.exe 2928 Ihfjognl.exe 2432 Incbgnmc.exe -
Loads dropped DLL 64 IoCs
pid Process 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 3024 Jqlhdo32.exe 3024 Jqlhdo32.exe 2740 Jcmafj32.exe 2740 Jcmafj32.exe 2748 Kfmjgeaj.exe 2748 Kfmjgeaj.exe 2588 Kincipnk.exe 2588 Kincipnk.exe 2448 Kegqdqbl.exe 2448 Kegqdqbl.exe 1312 Leimip32.exe 1312 Leimip32.exe 580 Lmgocb32.exe 580 Lmgocb32.exe 2804 Lfbpag32.exe 2804 Lfbpag32.exe 592 Mffimglk.exe 592 Mffimglk.exe 1964 Mkhofjoj.exe 1964 Mkhofjoj.exe 1060 Mlhkpm32.exe 1060 Mlhkpm32.exe 568 Mpjqiq32.exe 568 Mpjqiq32.exe 2568 Npojdpef.exe 2568 Npojdpef.exe 1628 Nmbknddp.exe 1628 Nmbknddp.exe 2288 Ookmfk32.exe 2288 Ookmfk32.exe 2596 Okdkal32.exe 2596 Okdkal32.exe 3052 Ogmhkmki.exe 3052 Ogmhkmki.exe 2336 Pmjqcc32.exe 2336 Pmjqcc32.exe 2124 Pcfefmnk.exe 2124 Pcfefmnk.exe 1672 Piekcd32.exe 1672 Piekcd32.exe 984 Pihgic32.exe 984 Pihgic32.exe 1244 Qflhbhgg.exe 1244 Qflhbhgg.exe 316 Qbbhgi32.exe 316 Qbbhgi32.exe 960 Aecaidjl.exe 960 Aecaidjl.exe 576 Annbhi32.exe 576 Annbhi32.exe 1300 Bfpnmj32.exe 1300 Bfpnmj32.exe 1040 Bhfcpb32.exe 1040 Bhfcpb32.exe 2800 Bejdiffp.exe 2800 Bejdiffp.exe 2704 Chkmkacq.exe 2704 Chkmkacq.exe 3036 Cbdnko32.exe 3036 Cbdnko32.exe 2644 Cddjebgb.exe 2644 Cddjebgb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aeghng32.exe Aompambg.exe File created C:\Windows\SysWOW64\Aanibhoh.exe Aeghng32.exe File created C:\Windows\SysWOW64\Hilcfe32.dll Dmepkn32.exe File created C:\Windows\SysWOW64\Jefbnacn.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jbfilffm.exe File created C:\Windows\SysWOW64\Bndneq32.dll Kfaalh32.exe File created C:\Windows\SysWOW64\Kggedf32.dll Jjpgfbom.exe File opened for modification C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File opened for modification C:\Windows\SysWOW64\Dhhhbg32.exe Danpemej.exe File created C:\Windows\SysWOW64\Ekmfne32.exe Edcnakpa.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Klhgfq32.exe File opened for modification C:\Windows\SysWOW64\Bgddam32.exe Bedhgj32.exe File opened for modification C:\Windows\SysWOW64\Cqleifna.exe Cgdqpq32.exe File created C:\Windows\SysWOW64\Inncclpb.dll Jahbmlil.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kfmjgeaj.exe File created C:\Windows\SysWOW64\Pgcmbcih.exe Pdeqfhjd.exe File created C:\Windows\SysWOW64\Lqipkhbj.exe Lnjcomcf.exe File opened for modification C:\Windows\SysWOW64\Gajjhkgh.exe Ggdekbgb.exe File created C:\Windows\SysWOW64\Hclmphpn.dll Cjoilfek.exe File created C:\Windows\SysWOW64\Dboglhna.exe Ddkgbc32.exe File created C:\Windows\SysWOW64\Bbllnlfd.exe Bdhleh32.exe File opened for modification C:\Windows\SysWOW64\Fkbgckgd.exe Fgdnnl32.exe File opened for modification C:\Windows\SysWOW64\Oflpgnld.exe Oaogognm.exe File opened for modification C:\Windows\SysWOW64\Faonom32.exe Fgjjad32.exe File created C:\Windows\SysWOW64\Ofobgc32.exe Okinik32.exe File opened for modification C:\Windows\SysWOW64\Liqoflfh.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Binbknik.dll Aakjdo32.exe File created C:\Windows\SysWOW64\Kmobhmnn.exe Kgbipf32.exe File created C:\Windows\SysWOW64\Lmdkcl32.exe Lclgjg32.exe File created C:\Windows\SysWOW64\Aipfmane.exe Qogbdl32.exe File created C:\Windows\SysWOW64\Pdonhj32.exe Ogknoe32.exe File opened for modification C:\Windows\SysWOW64\Enlidg32.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Knfndjdp.exe File opened for modification C:\Windows\SysWOW64\Jpajbl32.exe Jfieigio.exe File opened for modification C:\Windows\SysWOW64\Ifengpdh.exe Ijnnao32.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Mffimglk.exe File created C:\Windows\SysWOW64\Dkebqmfj.dll Pncjad32.exe File opened for modification C:\Windows\SysWOW64\Ngeljh32.exe Nnlhab32.exe File created C:\Windows\SysWOW64\Pgpgjepk.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Aficjnpm.exe Akcomepg.exe File opened for modification C:\Windows\SysWOW64\Pljnkodm.exe Pbajbi32.exe File created C:\Windows\SysWOW64\Fapgblob.exe Fbkjap32.exe File created C:\Windows\SysWOW64\Jeadap32.exe Jliohkak.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Nloone32.dll Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Blfapfpg.exe Apppkekc.exe File opened for modification C:\Windows\SysWOW64\Llepen32.exe Lekghdad.exe File opened for modification C:\Windows\SysWOW64\Ifpelq32.exe Icbipe32.exe File created C:\Windows\SysWOW64\Okbpde32.exe Obgkpb32.exe File created C:\Windows\SysWOW64\Idejihgk.dll Fjlmpfhg.exe File created C:\Windows\SysWOW64\Nmjkle32.dll Ecadddjh.exe File opened for modification C:\Windows\SysWOW64\Ebfqfpop.exe Emjhmipi.exe File created C:\Windows\SysWOW64\Dhklna32.exe Dhiphb32.exe File opened for modification C:\Windows\SysWOW64\Dnjalhpp.exe Dbdagg32.exe File opened for modification C:\Windows\SysWOW64\Ejcofica.exe Empomd32.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kbdmeoob.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Apppkekc.exe File created C:\Windows\SysWOW64\Ecgjdong.exe Dnjalhpp.exe File created C:\Windows\SysWOW64\Ppdfimji.exe Pncjad32.exe File created C:\Windows\SysWOW64\Hcijqc32.dll Gjojef32.exe File created C:\Windows\SysWOW64\Pddjlb32.exe Pjleclph.exe File created C:\Windows\SysWOW64\Kjigmkld.dll Aiaoclgl.exe File created C:\Windows\SysWOW64\Bfjpjn32.dll Gieommdc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3792 2084 WerFault.exe 715 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Cpiaipmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enmnahnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nadimacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplqiiqb.dll" Ekmfne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paiche32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhikme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiafee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafbbbmg.dll" Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknedeoi.dll" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnghm32.dll" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqfbdfga.dll" Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepejfpc.dll" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbemfbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifengpdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Affdle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmmlkl.dll" Paiche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohodj32.dll" Gmoqnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkmocpf.dll" Fcdopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hloiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmhkmki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfllkece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpecqda.dll" Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baclaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdlhpmb.dll" Ddomif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbddqihf.dll" Kbaglpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnbpqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpccfogk.dll" Hmglajcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdapnj32.dll" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofljekhm.dll" Fgkbeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqmjnk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1252 wrote to memory of 3024 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 3024 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 3024 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 28 PID 1252 wrote to memory of 3024 1252 b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe 28 PID 3024 wrote to memory of 2740 3024 Jqlhdo32.exe 29 PID 3024 wrote to memory of 2740 3024 Jqlhdo32.exe 29 PID 3024 wrote to memory of 2740 3024 Jqlhdo32.exe 29 PID 3024 wrote to memory of 2740 3024 Jqlhdo32.exe 29 PID 2740 wrote to memory of 2748 2740 Jcmafj32.exe 30 PID 2740 wrote to memory of 2748 2740 Jcmafj32.exe 30 PID 2740 wrote to memory of 2748 2740 Jcmafj32.exe 30 PID 2740 wrote to memory of 2748 2740 Jcmafj32.exe 30 PID 2748 wrote to memory of 2588 2748 Kfmjgeaj.exe 31 PID 2748 wrote to memory of 2588 2748 Kfmjgeaj.exe 31 PID 2748 wrote to memory of 2588 2748 Kfmjgeaj.exe 31 PID 2748 wrote to memory of 2588 2748 Kfmjgeaj.exe 31 PID 2588 wrote to memory of 2448 2588 Kincipnk.exe 32 PID 2588 wrote to memory of 2448 2588 Kincipnk.exe 32 PID 2588 wrote to memory of 2448 2588 Kincipnk.exe 32 PID 2588 wrote to memory of 2448 2588 Kincipnk.exe 32 PID 2448 wrote to memory of 1312 2448 Kegqdqbl.exe 33 PID 2448 wrote to memory of 1312 2448 Kegqdqbl.exe 33 PID 2448 wrote to memory of 1312 2448 Kegqdqbl.exe 33 PID 2448 wrote to memory of 1312 2448 Kegqdqbl.exe 33 PID 1312 wrote to memory of 580 1312 Leimip32.exe 34 PID 1312 wrote to memory of 580 1312 Leimip32.exe 34 PID 1312 wrote to memory of 580 1312 Leimip32.exe 34 PID 1312 wrote to memory of 580 1312 Leimip32.exe 34 PID 580 wrote to memory of 2804 580 Lmgocb32.exe 35 PID 580 wrote to memory of 2804 580 Lmgocb32.exe 35 PID 580 wrote to memory of 2804 580 Lmgocb32.exe 35 PID 580 wrote to memory of 2804 580 Lmgocb32.exe 35 PID 2804 wrote to memory of 592 2804 Lfbpag32.exe 36 PID 2804 wrote to memory of 592 2804 Lfbpag32.exe 36 PID 2804 wrote to memory of 592 2804 Lfbpag32.exe 36 PID 2804 wrote to memory of 592 2804 Lfbpag32.exe 36 PID 592 wrote to memory of 1964 592 Mffimglk.exe 37 PID 592 wrote to memory of 1964 592 Mffimglk.exe 37 PID 592 wrote to memory of 1964 592 Mffimglk.exe 37 PID 592 wrote to memory of 1964 592 Mffimglk.exe 37 PID 1964 wrote to memory of 1060 1964 Mkhofjoj.exe 38 PID 1964 wrote to memory of 1060 1964 Mkhofjoj.exe 38 PID 1964 wrote to memory of 1060 1964 Mkhofjoj.exe 38 PID 1964 wrote to memory of 1060 1964 Mkhofjoj.exe 38 PID 1060 wrote to memory of 568 1060 Mlhkpm32.exe 39 PID 1060 wrote to memory of 568 1060 Mlhkpm32.exe 39 PID 1060 wrote to memory of 568 1060 Mlhkpm32.exe 39 PID 1060 wrote to memory of 568 1060 Mlhkpm32.exe 39 PID 568 wrote to memory of 2568 568 Mpjqiq32.exe 40 PID 568 wrote to memory of 2568 568 Mpjqiq32.exe 40 PID 568 wrote to memory of 2568 568 Mpjqiq32.exe 40 PID 568 wrote to memory of 2568 568 Mpjqiq32.exe 40 PID 2568 wrote to memory of 1628 2568 Npojdpef.exe 41 PID 2568 wrote to memory of 1628 2568 Npojdpef.exe 41 PID 2568 wrote to memory of 1628 2568 Npojdpef.exe 41 PID 2568 wrote to memory of 1628 2568 Npojdpef.exe 41 PID 1628 wrote to memory of 2288 1628 Nmbknddp.exe 42 PID 1628 wrote to memory of 2288 1628 Nmbknddp.exe 42 PID 1628 wrote to memory of 2288 1628 Nmbknddp.exe 42 PID 1628 wrote to memory of 2288 1628 Nmbknddp.exe 42 PID 2288 wrote to memory of 2596 2288 Ookmfk32.exe 43 PID 2288 wrote to memory of 2596 2288 Ookmfk32.exe 43 PID 2288 wrote to memory of 2596 2288 Ookmfk32.exe 43 PID 2288 wrote to memory of 2596 2288 Ookmfk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b6e1ed6f232b7f765a4853ef05b8de82638e46f0f66b8e6a17dcd2ec8283659e_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe33⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe36⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe37⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe38⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe40⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe41⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe42⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe43⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe45⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe47⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe49⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe50⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe51⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe52⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe53⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe54⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe55⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe57⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe58⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe59⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe60⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe61⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe62⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe64⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe65⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe66⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe67⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe69⤵PID:1976
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe70⤵PID:2684
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe71⤵PID:2936
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe72⤵PID:2860
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe73⤵PID:2468
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe74⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe75⤵PID:1708
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe76⤵PID:1284
-
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe79⤵PID:2616
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe80⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe81⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe82⤵PID:2816
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe83⤵PID:2008
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe84⤵PID:564
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe85⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe86⤵PID:2372
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe87⤵PID:2160
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe88⤵PID:3040
-
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe89⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe90⤵PID:1048
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe91⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe92⤵PID:1032
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe93⤵PID:1532
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe95⤵PID:2648
-
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe96⤵PID:2660
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe97⤵PID:2356
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe98⤵PID:2520
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe99⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe101⤵PID:2760
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe102⤵PID:1640
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe103⤵PID:2196
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe104⤵PID:560
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe105⤵PID:2972
-
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe106⤵PID:840
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe107⤵PID:2088
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe108⤵PID:2164
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe109⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe110⤵PID:2300
-
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe111⤵PID:1620
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe112⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe113⤵PID:704
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe114⤵PID:1840
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe115⤵PID:1704
-
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe116⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe117⤵PID:1920
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe118⤵PID:672
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe119⤵PID:264
-
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe120⤵PID:1748
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-