Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 21:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe
-
Size
98KB
-
MD5
3b09205a3f6eeadf54514761bf6434c0
-
SHA1
cc77660a4666a97045e4dc79b4ff6923e713a53f
-
SHA256
da189ffb3236d50de8b004517c702f1d11813af033b64b15dc38a99e2d04ba4e
-
SHA512
4ec9a3a9a2a02741abfa2d85998f20dfa26568f960d2e021bdab4181e6b60ab0544f1b3ff969c470f5e0f034c169e8fa14e20115032069c833e75f13d22e65e5
-
SSDEEP
3072:MJnJt0q496As2+vE4eFKPD375lHzpa1P:8nL0mAt+vE4eYr75lHzpaF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Geohklaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oclkgccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njghbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coknoaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeheqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pabblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flinkojm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knefeffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlimed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmomlnjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblijebc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkceokii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgmkmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioqq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemqih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomncpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnoopdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqpqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmjcieo.exe -
Executes dropped EXE 64 IoCs
pid Process 4236 Opdghh32.exe 2748 Ofqpqo32.exe 2484 Onhhamgg.exe 1776 Oqfdnhfk.exe 4388 Ogpmjb32.exe 1360 Ojoign32.exe 1648 Ocgmpccl.exe 3092 Ofeilobp.exe 4120 Pmoahijl.exe 3692 Pgefeajb.exe 4700 Pnonbk32.exe 64 Pfjcgn32.exe 1236 Pqpgdfnp.exe 3188 Pgioqq32.exe 2296 Pncgmkmj.exe 4112 Pdmpje32.exe 1744 Pfolbmje.exe 5108 Pdpmpdbd.exe 456 Pjmehkqk.exe 3948 Qqfmde32.exe 4812 Qfcfml32.exe 1608 Qqijje32.exe 4276 Anmjcieo.exe 2648 Acjclpcf.exe 2704 Anogiicl.exe 4288 Aadifclh.exe 1820 Bfabnjjp.exe 2720 Bebblb32.exe 4000 Bjokdipf.exe 2276 Beeoaapl.exe 4880 Bnmcjg32.exe 4944 Beglgani.exe 4268 Bmbplc32.exe 804 Bjfaeh32.exe 4504 Belebq32.exe 4248 Cjinkg32.exe 1108 Cenahpha.exe 4868 Chmndlge.exe 2216 Cmiflbel.exe 556 Cdcoim32.exe 3100 Cjmgfgdf.exe 4460 Ceckcp32.exe 3808 Cnkplejl.exe 2932 Chcddk32.exe 1596 Calhnpgn.exe 4012 Ddjejl32.exe 3120 Dopigd32.exe 3000 Dejacond.exe 4720 Dfknkg32.exe 1088 Ddonekbl.exe 872 Dkifae32.exe 3888 Dfpgffpm.exe 1624 Dhocqigp.exe 1944 Dknpmdfc.exe 4624 Eecdjmfi.exe 3068 Ehapfiem.exe 1712 Emoinpcd.exe 2740 Ehdmlhcj.exe 4972 Eggmge32.exe 4392 Emaedo32.exe 5096 Edknqiho.exe 4604 Emcbio32.exe 4016 Edmjfifl.exe 1644 Ekgbccni.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hponje32.dll Ohmhmh32.exe File created C:\Windows\SysWOW64\Eodolnaf.dll Feoodn32.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Jilfifme.exe File created C:\Windows\SysWOW64\Mpghkf32.exe Leadnm32.exe File opened for modification C:\Windows\SysWOW64\Opadhb32.exe Ohjlgefb.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Geibhp32.dll Dcnqpo32.exe File created C:\Windows\SysWOW64\Odalmibl.exe Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Oabhfg32.exe Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Akkffkhk.exe File created C:\Windows\SysWOW64\Bbiaci32.dll Aijnep32.exe File opened for modification C:\Windows\SysWOW64\Paelfmaf.exe Okkdic32.exe File created C:\Windows\SysWOW64\Fbelcblk.exe Flkdfh32.exe File created C:\Windows\SysWOW64\Ndqojdee.dll Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Badanigc.exe Bnhenj32.exe File opened for modification C:\Windows\SysWOW64\Ppolhcnm.exe Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Gkgeoklj.exe Gpaqbbld.exe File created C:\Windows\SysWOW64\Hlgdjg32.dll Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Lqojclne.exe File created C:\Windows\SysWOW64\Bccbakce.dll Fjohde32.exe File created C:\Windows\SysWOW64\Pcpikkge.exe Ppamophb.exe File created C:\Windows\SysWOW64\Ieneofbo.dll Cobkhb32.exe File created C:\Windows\SysWOW64\Amdomd32.dll Cbfgkffn.exe File created C:\Windows\SysWOW64\Cqmmqg32.dll Eifaim32.exe File created C:\Windows\SysWOW64\Ehhpla32.exe Eangpgcl.exe File opened for modification C:\Windows\SysWOW64\Hdhedh32.exe Hmnmgnoh.exe File opened for modification C:\Windows\SysWOW64\Oelolmnd.exe Ojgjndno.exe File opened for modification C:\Windows\SysWOW64\Eokqkh32.exe Emmdom32.exe File created C:\Windows\SysWOW64\Ecpfpo32.dll Bkibgh32.exe File opened for modification C:\Windows\SysWOW64\Bnhenj32.exe Blgifbil.exe File created C:\Windows\SysWOW64\Noehba32.exe Niipjj32.exe File created C:\Windows\SysWOW64\Laahglpp.dll Gdoihpbk.exe File created C:\Windows\SysWOW64\Hpdfnolo.exe Hnfjbdmk.exe File created C:\Windows\SysWOW64\Cinbbnpa.dll Iqbbpm32.exe File created C:\Windows\SysWOW64\Ngjbaj32.exe Napjdpcn.exe File opened for modification C:\Windows\SysWOW64\Pdpmpdbd.exe Pfolbmje.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Jleqgfim.dll Ieliebnf.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Ibajgf32.dll Cgjjdf32.exe File created C:\Windows\SysWOW64\Cpdndomn.dll Mbgjbkfg.exe File created C:\Windows\SysWOW64\Pkcadhgm.exe Pibdmp32.exe File created C:\Windows\SysWOW64\Cjafgpmo.dll Felbnn32.exe File created C:\Windows\SysWOW64\Mcpcdg32.exe Mmfkhmdi.exe File created C:\Windows\SysWOW64\Nclbpf32.exe Nqmfdj32.exe File created C:\Windows\SysWOW64\Dkfadkgf.exe Ddligq32.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Iliinc32.exe File created C:\Windows\SysWOW64\Eifnachf.dll Cjmgfgdf.exe File created C:\Windows\SysWOW64\Bpajnp32.dll Jdbhkk32.exe File opened for modification C:\Windows\SysWOW64\Mlkepaam.exe Meamcg32.exe File created C:\Windows\SysWOW64\Gcbpne32.dll Mhdckaeo.exe File created C:\Windows\SysWOW64\Pabblb32.exe Pocfpf32.exe File opened for modification C:\Windows\SysWOW64\Edmjfifl.exe Emcbio32.exe File created C:\Windows\SysWOW64\Abcgjd32.dll Ljkifn32.exe File created C:\Windows\SysWOW64\Odblin32.dll Ocamjm32.exe File created C:\Windows\SysWOW64\Negcig32.dll Abponp32.exe File opened for modification C:\Windows\SysWOW64\Ehapfiem.exe Eecdjmfi.exe File opened for modification C:\Windows\SysWOW64\Mglfplgk.exe Lqbncb32.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Dpiplm32.exe File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe Ceckcp32.exe File opened for modification C:\Windows\SysWOW64\Hkhdqoac.exe Hfklhhcl.exe File created C:\Windows\SysWOW64\Bqilgmdg.exe Bjodjb32.exe File created C:\Windows\SysWOW64\Qfkjii32.dll Jqdoem32.exe File opened for modification C:\Windows\SysWOW64\Kqdaadln.exe Kjjiej32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6228 4152 WerFault.exe 984 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" Qqijje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcogje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhpoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epdikp32.dll" Mbenmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohgljdl.dll" Kodnmkap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegkoem.dll" Qhonib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enkdaepb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Foqkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjaifp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nondlbmd.dll" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenqhaga.dll" Eiobceef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkkjnjg.dll" Bahkih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fojedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maiccajf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moehgcil.dll" Aefjii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aieeeflh.dll" Oeicejia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdhfd32.dll" Pgflqkdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkcadhgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iplkpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdohp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glaecb32.dll" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecabifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Bddcenpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doodkl32.dll" Goedpofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjiligp.dll" Fajgkfio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll" Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ookjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbea32.dll" Coiaiakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfbped32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 4236 3532 3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe 82 PID 3532 wrote to memory of 4236 3532 3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe 82 PID 3532 wrote to memory of 4236 3532 3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe 82 PID 4236 wrote to memory of 2748 4236 Opdghh32.exe 83 PID 4236 wrote to memory of 2748 4236 Opdghh32.exe 83 PID 4236 wrote to memory of 2748 4236 Opdghh32.exe 83 PID 2748 wrote to memory of 2484 2748 Ofqpqo32.exe 84 PID 2748 wrote to memory of 2484 2748 Ofqpqo32.exe 84 PID 2748 wrote to memory of 2484 2748 Ofqpqo32.exe 84 PID 2484 wrote to memory of 1776 2484 Onhhamgg.exe 85 PID 2484 wrote to memory of 1776 2484 Onhhamgg.exe 85 PID 2484 wrote to memory of 1776 2484 Onhhamgg.exe 85 PID 1776 wrote to memory of 4388 1776 Oqfdnhfk.exe 86 PID 1776 wrote to memory of 4388 1776 Oqfdnhfk.exe 86 PID 1776 wrote to memory of 4388 1776 Oqfdnhfk.exe 86 PID 4388 wrote to memory of 1360 4388 Ogpmjb32.exe 87 PID 4388 wrote to memory of 1360 4388 Ogpmjb32.exe 87 PID 4388 wrote to memory of 1360 4388 Ogpmjb32.exe 87 PID 1360 wrote to memory of 1648 1360 Ojoign32.exe 89 PID 1360 wrote to memory of 1648 1360 Ojoign32.exe 89 PID 1360 wrote to memory of 1648 1360 Ojoign32.exe 89 PID 1648 wrote to memory of 3092 1648 Ocgmpccl.exe 90 PID 1648 wrote to memory of 3092 1648 Ocgmpccl.exe 90 PID 1648 wrote to memory of 3092 1648 Ocgmpccl.exe 90 PID 3092 wrote to memory of 4120 3092 Ofeilobp.exe 92 PID 3092 wrote to memory of 4120 3092 Ofeilobp.exe 92 PID 3092 wrote to memory of 4120 3092 Ofeilobp.exe 92 PID 4120 wrote to memory of 3692 4120 Pmoahijl.exe 93 PID 4120 wrote to memory of 3692 4120 Pmoahijl.exe 93 PID 4120 wrote to memory of 3692 4120 Pmoahijl.exe 93 PID 3692 wrote to memory of 4700 3692 Pgefeajb.exe 94 PID 3692 wrote to memory of 4700 3692 Pgefeajb.exe 94 PID 3692 wrote to memory of 4700 3692 Pgefeajb.exe 94 PID 4700 wrote to memory of 64 4700 Pnonbk32.exe 95 PID 4700 wrote to memory of 64 4700 Pnonbk32.exe 95 PID 4700 wrote to memory of 64 4700 Pnonbk32.exe 95 PID 64 wrote to memory of 1236 64 Pfjcgn32.exe 96 PID 64 wrote to memory of 1236 64 Pfjcgn32.exe 96 PID 64 wrote to memory of 1236 64 Pfjcgn32.exe 96 PID 1236 wrote to memory of 3188 1236 Pqpgdfnp.exe 97 PID 1236 wrote to memory of 3188 1236 Pqpgdfnp.exe 97 PID 1236 wrote to memory of 3188 1236 Pqpgdfnp.exe 97 PID 3188 wrote to memory of 2296 3188 Pgioqq32.exe 99 PID 3188 wrote to memory of 2296 3188 Pgioqq32.exe 99 PID 3188 wrote to memory of 2296 3188 Pgioqq32.exe 99 PID 2296 wrote to memory of 4112 2296 Pncgmkmj.exe 100 PID 2296 wrote to memory of 4112 2296 Pncgmkmj.exe 100 PID 2296 wrote to memory of 4112 2296 Pncgmkmj.exe 100 PID 4112 wrote to memory of 1744 4112 Pdmpje32.exe 101 PID 4112 wrote to memory of 1744 4112 Pdmpje32.exe 101 PID 4112 wrote to memory of 1744 4112 Pdmpje32.exe 101 PID 1744 wrote to memory of 5108 1744 Pfolbmje.exe 102 PID 1744 wrote to memory of 5108 1744 Pfolbmje.exe 102 PID 1744 wrote to memory of 5108 1744 Pfolbmje.exe 102 PID 5108 wrote to memory of 456 5108 Pdpmpdbd.exe 103 PID 5108 wrote to memory of 456 5108 Pdpmpdbd.exe 103 PID 5108 wrote to memory of 456 5108 Pdpmpdbd.exe 103 PID 456 wrote to memory of 3948 456 Pjmehkqk.exe 104 PID 456 wrote to memory of 3948 456 Pjmehkqk.exe 104 PID 456 wrote to memory of 3948 456 Pjmehkqk.exe 104 PID 3948 wrote to memory of 4812 3948 Qqfmde32.exe 105 PID 3948 wrote to memory of 4812 3948 Qqfmde32.exe 105 PID 3948 wrote to memory of 4812 3948 Qqfmde32.exe 105 PID 4812 wrote to memory of 1608 4812 Qfcfml32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b09205a3f6eeadf54514761bf6434c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe25⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe26⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe27⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe28⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe30⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe31⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe33⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe34⤵PID:4400
-
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe35⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe36⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe37⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe38⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe39⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe40⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe45⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe46⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe47⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe48⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe49⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe51⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe52⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe54⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe55⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe56⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4624 -
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe58⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe59⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe60⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe61⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe62⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe63⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4604 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe65⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe66⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe67⤵PID:3876
-
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe68⤵PID:412
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe69⤵PID:3732
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe70⤵PID:5072
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe71⤵PID:2172
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe72⤵PID:432
-
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe73⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe74⤵PID:864
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe75⤵PID:3304
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe76⤵PID:1248
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe77⤵PID:3148
-
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe78⤵
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe79⤵PID:2384
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe80⤵PID:1588
-
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe81⤵PID:3644
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe82⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe83⤵PID:4820
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe84⤵PID:116
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe85⤵PID:1980
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe86⤵PID:364
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe87⤵PID:4992
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe88⤵PID:920
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe89⤵PID:3852
-
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe90⤵PID:2184
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe91⤵PID:4396
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe92⤵
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe93⤵PID:4616
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe94⤵PID:1412
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe95⤵PID:1768
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe96⤵PID:4068
-
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe97⤵PID:2124
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe98⤵PID:2028
-
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe99⤵PID:4188
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe100⤵PID:3308
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe101⤵PID:4844
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe102⤵PID:4420
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe103⤵PID:1664
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe104⤵PID:2076
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe105⤵PID:228
-
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe106⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe107⤵PID:5132
-
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe108⤵PID:5176
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe109⤵PID:5220
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe110⤵PID:5264
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe111⤵PID:5300
-
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe112⤵PID:5348
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe113⤵PID:5400
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe114⤵PID:5440
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe115⤵PID:5488
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe116⤵PID:5528
-
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe117⤵PID:5572
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe118⤵PID:5620
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe119⤵PID:5664
-
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe120⤵PID:5708
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-