Analysis
-
max time kernel
15s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 20:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe
-
Size
55KB
-
MD5
b44cef6ea11944dd26c8e21d837a6f60
-
SHA1
f548419924427ed444856c30d239164761e77cfb
-
SHA256
18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980
-
SHA512
88cd48776ceb23d90d2f312ea5ab4016e6a4d4ac0af8ead4d6766314d2e2f36d9a303073651880764b84ca602a51820cdc1218af3755b025bec3061678f0f479
-
SSDEEP
768:ijbJnsl0ABpXZw/g/3uWBfR2JA54/48UAv6gJ2jpcrG53hY7qGGGG234yxxDRt0n:ijtsl0ABpXZ8HW2DX32SrGZGLxbjRs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojgfemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbgbni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iompkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npojdpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmicohqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggcffhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmfgjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loeebl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2484 Iqopea32.exe 2504 Incpoe32.exe 2524 Icpigm32.exe 2708 Jmhmpb32.exe 2572 Jcbellac.exe 2464 Jqfffqpm.exe 2940 Jbgbni32.exe 2796 Jokcgmee.exe 2980 Jicgpb32.exe 632 Jbllihbf.exe 2604 Jkdpanhg.exe 536 Kbqecg32.exe 2640 Kgnnln32.exe 588 Kmjfdejp.exe 1188 Kfbkmk32.exe 2068 Kmmcjehm.exe 1660 Kcfkfo32.exe 840 Kpmlkp32.exe 1952 Kifpdelo.exe 808 Lfjqnjkh.exe 916 Loeebl32.exe 2172 Leajdfnm.exe 2080 Llkbap32.exe 896 Lecgje32.exe 3000 Llnofpcg.exe 2492 Lefdpe32.exe 3036 Mmahdggc.exe 2556 Mdkqqa32.exe 2828 Mihiih32.exe 2564 Mpbaebdd.exe 2420 Mgljbm32.exe 1548 Mmfbogcn.exe 1992 Mimbdhhb.exe 2924 Mpfkqb32.exe 2588 Mcegmm32.exe 2608 Mlmlecec.exe 1060 Nhdlkdkg.exe 696 Nhfipcid.exe 600 Naoniipe.exe 1160 Nglfapnl.exe 1284 Nnennj32.exe 2108 Njlockkm.exe 1932 Npfgpe32.exe 2268 Oddpfc32.exe 1612 Oonafa32.exe 904 Oqmmpd32.exe 1892 Oclilp32.exe 2868 Ofjfhk32.exe 2864 Ohibdf32.exe 2188 Okgnab32.exe 1996 Ocnfbo32.exe 2660 Ofmbnkhg.exe 1364 Odobjg32.exe 2936 Okikfagn.exe 2432 Onhgbmfb.exe 2780 Pfoocjfd.exe 2628 Pdaoog32.exe 2896 Pgplkb32.exe 2632 Pogclp32.exe 1640 Pnjdhmdo.exe 984 Pedleg32.exe 1244 Pgbhabjp.exe 1064 Pjadmnic.exe 744 Pnlqnl32.exe -
Loads dropped DLL 64 IoCs
pid Process 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 2484 Iqopea32.exe 2484 Iqopea32.exe 2504 Incpoe32.exe 2504 Incpoe32.exe 2524 Icpigm32.exe 2524 Icpigm32.exe 2708 Jmhmpb32.exe 2708 Jmhmpb32.exe 2572 Jcbellac.exe 2572 Jcbellac.exe 2464 Jqfffqpm.exe 2464 Jqfffqpm.exe 2940 Jbgbni32.exe 2940 Jbgbni32.exe 2796 Jokcgmee.exe 2796 Jokcgmee.exe 2980 Jicgpb32.exe 2980 Jicgpb32.exe 632 Jbllihbf.exe 632 Jbllihbf.exe 2604 Jkdpanhg.exe 2604 Jkdpanhg.exe 536 Kbqecg32.exe 536 Kbqecg32.exe 2640 Kgnnln32.exe 2640 Kgnnln32.exe 588 Kmjfdejp.exe 588 Kmjfdejp.exe 1188 Kfbkmk32.exe 1188 Kfbkmk32.exe 2068 Kmmcjehm.exe 2068 Kmmcjehm.exe 1660 Kcfkfo32.exe 1660 Kcfkfo32.exe 840 Kpmlkp32.exe 840 Kpmlkp32.exe 1952 Kifpdelo.exe 1952 Kifpdelo.exe 808 Lfjqnjkh.exe 808 Lfjqnjkh.exe 916 Loeebl32.exe 916 Loeebl32.exe 2172 Leajdfnm.exe 2172 Leajdfnm.exe 2080 Llkbap32.exe 2080 Llkbap32.exe 896 Lecgje32.exe 896 Lecgje32.exe 3000 Llnofpcg.exe 3000 Llnofpcg.exe 2492 Lefdpe32.exe 2492 Lefdpe32.exe 3036 Mmahdggc.exe 3036 Mmahdggc.exe 2556 Mdkqqa32.exe 2556 Mdkqqa32.exe 2828 Mihiih32.exe 2828 Mihiih32.exe 2564 Mpbaebdd.exe 2564 Mpbaebdd.exe 2420 Mgljbm32.exe 2420 Mgljbm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hoogfn32.dll Emnndlod.exe File opened for modification C:\Windows\SysWOW64\Gakcimgf.exe Gffoldhp.exe File opened for modification C:\Windows\SysWOW64\Gffoldhp.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Mmneda32.exe Lbiqfied.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Ffhpbacb.exe File created C:\Windows\SysWOW64\Gfkdmglc.dll Mkmhaj32.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gakcimgf.exe File created C:\Windows\SysWOW64\Doqplo32.dll Hhehek32.exe File created C:\Windows\SysWOW64\Lefdpe32.exe Llnofpcg.exe File created C:\Windows\SysWOW64\Jcpclc32.dll Pefijfii.exe File opened for modification C:\Windows\SysWOW64\Fiihdlpc.exe Fbopgb32.exe File opened for modification C:\Windows\SysWOW64\Hbhomd32.exe Hkaglf32.exe File created C:\Windows\SysWOW64\Qpehocqo.dll Heglio32.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Fiihdlpc.exe Fbopgb32.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Anafhopc.exe File created C:\Windows\SysWOW64\Gallbqdi.dll Fjmaaddo.exe File created C:\Windows\SysWOW64\Jhpjaq32.dll Onecbg32.exe File opened for modification C:\Windows\SysWOW64\Nhfipcid.exe Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Mpjqiq32.exe Mkmhaj32.exe File opened for modification C:\Windows\SysWOW64\Oopfakpa.exe Oghopm32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dglpbbbg.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Iedkbc32.exe File opened for modification C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Ljmlbfhi.exe File created C:\Windows\SysWOW64\Ndjfeo32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Jcbellac.exe Jmhmpb32.exe File created C:\Windows\SysWOW64\Bmmiij32.exe Bdeeqehb.exe File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe Dfdjhndl.exe File created C:\Windows\SysWOW64\Pgplkb32.exe Pdaoog32.exe File created C:\Windows\SysWOW64\Ngemkm32.dll Gmdadnkh.exe File created C:\Windows\SysWOW64\Nldjnfaf.dll Iccbqh32.exe File created C:\Windows\SysWOW64\Iddnkn32.dll Jnkpbcjg.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Pnajilng.exe File created C:\Windows\SysWOW64\Gmgninie.exe Gfmemc32.exe File opened for modification C:\Windows\SysWOW64\Nhdlkdkg.exe Mlmlecec.exe File opened for modification C:\Windows\SysWOW64\Qjnmlk32.exe Qeaedd32.exe File created C:\Windows\SysWOW64\Qniedg32.dll Qjnmlk32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Hdildlie.exe Heglio32.exe File created C:\Windows\SysWOW64\Qeohnd32.exe Qbplbi32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Gpejeihi.exe Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Qbplbi32.exe Pmccjbaf.exe File created C:\Windows\SysWOW64\Hbfbgd32.exe Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Iccbqh32.exe Hgmalg32.exe File created C:\Windows\SysWOW64\Cahqdihi.dll Alegac32.exe File opened for modification C:\Windows\SysWOW64\Nofdklgl.exe Nenobfak.exe File opened for modification C:\Windows\SysWOW64\Idnaoohk.exe Ioaifhid.exe File created C:\Windows\SysWOW64\Ljkomfjl.exe Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Mmneda32.exe File created C:\Windows\SysWOW64\Pgbhabjp.exe Pedleg32.exe File opened for modification C:\Windows\SysWOW64\Pnlqnl32.exe Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Ganpomec.exe Gmbdnn32.exe File created C:\Windows\SysWOW64\Oghopm32.exe Oomjlk32.exe File opened for modification C:\Windows\SysWOW64\Qeohnd32.exe Qbplbi32.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kgnnln32.exe File created C:\Windows\SysWOW64\Cadhnmnm.exe Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Fibmmd32.dll Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Leimip32.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe Oebimf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5204 4868 Process not Found 1290 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgplkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Icpigm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll" Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifpdelo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll" Qbplbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abbeflpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll" Dkcofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oebimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoocjfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaolidlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okikfagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Caknol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenobfak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdlmj32.dll" Ieidmbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daiohhgh.dll" Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmahkol.dll" Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfbogcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhkga32.dll" Pqkmjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcidp32.dll" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmqokqf.dll" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkcpip32.dll" Figlolbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjqnjkh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2484 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 2484 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 2484 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 28 PID 1924 wrote to memory of 2484 1924 18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe 28 PID 2484 wrote to memory of 2504 2484 Iqopea32.exe 29 PID 2484 wrote to memory of 2504 2484 Iqopea32.exe 29 PID 2484 wrote to memory of 2504 2484 Iqopea32.exe 29 PID 2484 wrote to memory of 2504 2484 Iqopea32.exe 29 PID 2504 wrote to memory of 2524 2504 Incpoe32.exe 30 PID 2504 wrote to memory of 2524 2504 Incpoe32.exe 30 PID 2504 wrote to memory of 2524 2504 Incpoe32.exe 30 PID 2504 wrote to memory of 2524 2504 Incpoe32.exe 30 PID 2524 wrote to memory of 2708 2524 Icpigm32.exe 31 PID 2524 wrote to memory of 2708 2524 Icpigm32.exe 31 PID 2524 wrote to memory of 2708 2524 Icpigm32.exe 31 PID 2524 wrote to memory of 2708 2524 Icpigm32.exe 31 PID 2708 wrote to memory of 2572 2708 Jmhmpb32.exe 32 PID 2708 wrote to memory of 2572 2708 Jmhmpb32.exe 32 PID 2708 wrote to memory of 2572 2708 Jmhmpb32.exe 32 PID 2708 wrote to memory of 2572 2708 Jmhmpb32.exe 32 PID 2572 wrote to memory of 2464 2572 Jcbellac.exe 33 PID 2572 wrote to memory of 2464 2572 Jcbellac.exe 33 PID 2572 wrote to memory of 2464 2572 Jcbellac.exe 33 PID 2572 wrote to memory of 2464 2572 Jcbellac.exe 33 PID 2464 wrote to memory of 2940 2464 Jqfffqpm.exe 34 PID 2464 wrote to memory of 2940 2464 Jqfffqpm.exe 34 PID 2464 wrote to memory of 2940 2464 Jqfffqpm.exe 34 PID 2464 wrote to memory of 2940 2464 Jqfffqpm.exe 34 PID 2940 wrote to memory of 2796 2940 Jbgbni32.exe 35 PID 2940 wrote to memory of 2796 2940 Jbgbni32.exe 35 PID 2940 wrote to memory of 2796 2940 Jbgbni32.exe 35 PID 2940 wrote to memory of 2796 2940 Jbgbni32.exe 35 PID 2796 wrote to memory of 2980 2796 Jokcgmee.exe 36 PID 2796 wrote to memory of 2980 2796 Jokcgmee.exe 36 PID 2796 wrote to memory of 2980 2796 Jokcgmee.exe 36 PID 2796 wrote to memory of 2980 2796 Jokcgmee.exe 36 PID 2980 wrote to memory of 632 2980 Jicgpb32.exe 37 PID 2980 wrote to memory of 632 2980 Jicgpb32.exe 37 PID 2980 wrote to memory of 632 2980 Jicgpb32.exe 37 PID 2980 wrote to memory of 632 2980 Jicgpb32.exe 37 PID 632 wrote to memory of 2604 632 Jbllihbf.exe 38 PID 632 wrote to memory of 2604 632 Jbllihbf.exe 38 PID 632 wrote to memory of 2604 632 Jbllihbf.exe 38 PID 632 wrote to memory of 2604 632 Jbllihbf.exe 38 PID 2604 wrote to memory of 536 2604 Jkdpanhg.exe 39 PID 2604 wrote to memory of 536 2604 Jkdpanhg.exe 39 PID 2604 wrote to memory of 536 2604 Jkdpanhg.exe 39 PID 2604 wrote to memory of 536 2604 Jkdpanhg.exe 39 PID 536 wrote to memory of 2640 536 Kbqecg32.exe 40 PID 536 wrote to memory of 2640 536 Kbqecg32.exe 40 PID 536 wrote to memory of 2640 536 Kbqecg32.exe 40 PID 536 wrote to memory of 2640 536 Kbqecg32.exe 40 PID 2640 wrote to memory of 588 2640 Kgnnln32.exe 41 PID 2640 wrote to memory of 588 2640 Kgnnln32.exe 41 PID 2640 wrote to memory of 588 2640 Kgnnln32.exe 41 PID 2640 wrote to memory of 588 2640 Kgnnln32.exe 41 PID 588 wrote to memory of 1188 588 Kmjfdejp.exe 42 PID 588 wrote to memory of 1188 588 Kmjfdejp.exe 42 PID 588 wrote to memory of 1188 588 Kmjfdejp.exe 42 PID 588 wrote to memory of 1188 588 Kmjfdejp.exe 42 PID 1188 wrote to memory of 2068 1188 Kfbkmk32.exe 43 PID 1188 wrote to memory of 2068 1188 Kfbkmk32.exe 43 PID 1188 wrote to memory of 2068 1188 Kfbkmk32.exe 43 PID 1188 wrote to memory of 2068 1188 Kfbkmk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\18ef04337ebb7081ef094ec56068a1af9311d1aa11941b700c16ee0784ee8980_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe34⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe36⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe39⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe40⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe43⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe44⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe46⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe47⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe48⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe49⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe50⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe51⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe52⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe53⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe60⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe65⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe66⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe67⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe68⤵PID:2820
-
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe70⤵PID:1616
-
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe71⤵PID:2224
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe72⤵PID:2480
-
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe73⤵PID:2768
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe74⤵PID:2372
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe75⤵PID:3068
-
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe76⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe77⤵PID:1692
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe79⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe80⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe82⤵PID:1020
-
C:\Windows\SysWOW64\Qbcpbo32.exeC:\Windows\system32\Qbcpbo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe84⤵PID:1104
-
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe86⤵PID:1744
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe87⤵PID:1592
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe88⤵PID:2824
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe89⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe90⤵
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:276 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe93⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe94⤵PID:640
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe96⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe97⤵PID:3032
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe98⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe99⤵PID:2092
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe100⤵PID:2200
-
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe101⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe102⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe103⤵PID:1092
-
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe104⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe106⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe108⤵PID:884
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe109⤵PID:1948
-
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe112⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe113⤵PID:2832
-
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe114⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe116⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe117⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe118⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe119⤵
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe120⤵PID:1260
-
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe121⤵PID:1556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-