Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 03:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe
-
Size
181KB
-
MD5
64fc1b1aec0dd63312b499af83a77b30
-
SHA1
fed15cd658b369ce1f904791aa885339abee1b67
-
SHA256
3bb69804958d7acd811f07fd7ee3d1d94e10253b183a97a65281aa3ae1267d38
-
SHA512
26faddefc4f0f9b8c69d29c7055bb1bbaddabefae02d5832b1f86ad4194c83053aa200c14b12c376749be8a37dfe7e9626f5c3a23b9fd5a1babc52651f23883d
-
SSDEEP
3072:nlZUSbbYGFGnVFYggDrFDHZtOg1DN0EKF5FDDFfgV4DrFDHZtOgB:vIPn345tTNN0EKF5FD4w5tTB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Globlmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlibjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebinic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mijfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmgqnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnechbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfghif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfencna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdbloof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdogl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpknlk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2392 Okchhc32.exe 2160 Oqqapjnk.exe 2676 Okfencna.exe 2732 Omgaek32.exe 2488 Ofpfnqjp.exe 2504 Pminkk32.exe 2968 Pgobhcac.exe 2808 Pjmodopf.exe 2836 Ppjglfon.exe 832 Pbiciana.exe 1196 Pmnhfjmg.exe 2688 Ppmdbe32.exe 860 Peiljl32.exe 2108 Ppoqge32.exe 1976 Pelipl32.exe 324 Phjelg32.exe 452 Pabjem32.exe 2152 Qlhnbf32.exe 1556 Qbbfopeg.exe 1868 Qeqbkkej.exe 1224 Qhooggdn.exe 2136 Qnigda32.exe 2056 Qecoqk32.exe 1000 Ahakmf32.exe 1512 Ankdiqih.exe 2068 Amndem32.exe 2272 Affhncfc.exe 1988 Aiedjneg.exe 2596 Adjigg32.exe 2716 Ajdadamj.exe 2612 Ambmpmln.exe 2440 Apajlhka.exe 2336 Abpfhcje.exe 2628 Aiinen32.exe 2796 Apcfahio.exe 1504 Aepojo32.exe 1996 Ailkjmpo.exe 2500 Boiccdnf.exe 816 Bagpopmj.exe 2984 Blmdlhmp.exe 1192 Bokphdld.exe 2420 Bdhhqk32.exe 1804 Bhcdaibd.exe 2020 Bommnc32.exe 2116 Begeknan.exe 1332 Bdjefj32.exe 2912 Bghabf32.exe 2928 Bopicc32.exe 1808 Bnbjopoi.exe 2520 Banepo32.exe 2028 Bhhnli32.exe 1720 Bjijdadm.exe 2648 Bnefdp32.exe 3052 Bpcbqk32.exe 2728 Cgmkmecg.exe 2172 Cjlgiqbk.exe 2800 Cngcjo32.exe 1952 Cljcelan.exe 2856 Cdakgibq.exe 1040 Cfbhnaho.exe 2508 Cnippoha.exe 2528 Cphlljge.exe 1456 Coklgg32.exe 2908 Cgbdhd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 2392 Okchhc32.exe 2392 Okchhc32.exe 2160 Oqqapjnk.exe 2160 Oqqapjnk.exe 2676 Okfencna.exe 2676 Okfencna.exe 2732 Omgaek32.exe 2732 Omgaek32.exe 2488 Ofpfnqjp.exe 2488 Ofpfnqjp.exe 2504 Pminkk32.exe 2504 Pminkk32.exe 2968 Pgobhcac.exe 2968 Pgobhcac.exe 2808 Pjmodopf.exe 2808 Pjmodopf.exe 2836 Ppjglfon.exe 2836 Ppjglfon.exe 832 Pbiciana.exe 832 Pbiciana.exe 1196 Pmnhfjmg.exe 1196 Pmnhfjmg.exe 2688 Ppmdbe32.exe 2688 Ppmdbe32.exe 860 Peiljl32.exe 860 Peiljl32.exe 2108 Ppoqge32.exe 2108 Ppoqge32.exe 1976 Pelipl32.exe 1976 Pelipl32.exe 324 Phjelg32.exe 324 Phjelg32.exe 452 Pabjem32.exe 452 Pabjem32.exe 2152 Qlhnbf32.exe 2152 Qlhnbf32.exe 1556 Qbbfopeg.exe 1556 Qbbfopeg.exe 1868 Qeqbkkej.exe 1868 Qeqbkkej.exe 1224 Qhooggdn.exe 1224 Qhooggdn.exe 2136 Qnigda32.exe 2136 Qnigda32.exe 2056 Qecoqk32.exe 2056 Qecoqk32.exe 1000 Ahakmf32.exe 1000 Ahakmf32.exe 1512 Ankdiqih.exe 1512 Ankdiqih.exe 1604 Aplpai32.exe 1604 Aplpai32.exe 2272 Affhncfc.exe 2272 Affhncfc.exe 1988 Aiedjneg.exe 1988 Aiedjneg.exe 2596 Adjigg32.exe 2596 Adjigg32.exe 2716 Ajdadamj.exe 2716 Ajdadamj.exe 2612 Ambmpmln.exe 2612 Ambmpmln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ipghqomc.dll Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Gbaoqk32.dll Iqopea32.exe File created C:\Windows\SysWOW64\Ionkallc.dll Oclilp32.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qimhoi32.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Dbdijd32.dll Qeqbkkej.exe File created C:\Windows\SysWOW64\Faokjpfd.exe Fnpnndgp.exe File created C:\Windows\SysWOW64\Nglknl32.dll Qcpofbjl.exe File created C:\Windows\SysWOW64\Bplpldoa.dll Bbjbaa32.exe File opened for modification C:\Windows\SysWOW64\Bjijdadm.exe Bhhnli32.exe File created C:\Windows\SysWOW64\Iebpge32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pflomnkb.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File opened for modification C:\Windows\SysWOW64\Dknekeef.exe Dhpiojfb.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Bokphdld.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Eiaiqn32.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Egjbkk32.dll Lkppbl32.exe File created C:\Windows\SysWOW64\Gpdgnh32.dll Lmolnh32.exe File created C:\Windows\SysWOW64\Inkaippf.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Jiakjb32.exe Jjojofgn.exe File created C:\Windows\SysWOW64\Immfnjan.dll Kblhgk32.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fidoim32.exe File created C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Pminkk32.exe Ofpfnqjp.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Eiomkn32.exe File created C:\Windows\SysWOW64\Ghqknigk.dll Ffpmnf32.exe File opened for modification C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File created C:\Windows\SysWOW64\Knlafm32.dll Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Mdkqqa32.exe Mamddf32.exe File opened for modification C:\Windows\SysWOW64\Cldooj32.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Qecoqk32.exe File created C:\Windows\SysWOW64\Affhncfc.exe Aplpai32.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dngoibmo.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Elmigj32.exe File created C:\Windows\SysWOW64\Lldlqakb.exe Kifpdelo.exe File opened for modification C:\Windows\SysWOW64\Mmahdggc.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Emnndlod.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lemaif32.exe File created C:\Windows\SysWOW64\Gmndnn32.dll Miooigfo.exe File created C:\Windows\SysWOW64\Ihomanac.dll Begeknan.exe File created C:\Windows\SysWOW64\Onmdoioa.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Kkgklabn.dll Qfahhm32.exe File opened for modification C:\Windows\SysWOW64\Efaibbij.exe Egoife32.exe File opened for modification C:\Windows\SysWOW64\Ppoqge32.exe Peiljl32.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Acjobj32.dll Ldfgebbe.exe File created C:\Windows\SysWOW64\Bmfmjjgm.dll Anojbobe.exe File created C:\Windows\SysWOW64\Aafminbq.dll Bpnbkeld.exe File created C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File created C:\Windows\SysWOW64\Henidd32.exe Hacmcfge.exe File created C:\Windows\SysWOW64\Dcpdmj32.dll Inljnfkg.exe File created C:\Windows\SysWOW64\Ljefkdjq.dll Kcihlong.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5780 5752 WerFault.exe 509 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Epdkli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionkallc.dll" Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahdaee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikddbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biapcobb.dll" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckchjmoo.dll" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqkmbmdg.dll" Mdpjlajk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pogclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfhbign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhpnkch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chcphm32.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkima32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nialog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaaoij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncffdfn.dll" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jejhecaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifnmmhq.dll" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakmkaok.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Nkiogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglknl32.dll" Qcpofbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dbkknojp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2392 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2392 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2392 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 28 PID 1264 wrote to memory of 2392 1264 64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe 28 PID 2392 wrote to memory of 2160 2392 Okchhc32.exe 29 PID 2392 wrote to memory of 2160 2392 Okchhc32.exe 29 PID 2392 wrote to memory of 2160 2392 Okchhc32.exe 29 PID 2392 wrote to memory of 2160 2392 Okchhc32.exe 29 PID 2160 wrote to memory of 2676 2160 Oqqapjnk.exe 30 PID 2160 wrote to memory of 2676 2160 Oqqapjnk.exe 30 PID 2160 wrote to memory of 2676 2160 Oqqapjnk.exe 30 PID 2160 wrote to memory of 2676 2160 Oqqapjnk.exe 30 PID 2676 wrote to memory of 2732 2676 Okfencna.exe 31 PID 2676 wrote to memory of 2732 2676 Okfencna.exe 31 PID 2676 wrote to memory of 2732 2676 Okfencna.exe 31 PID 2676 wrote to memory of 2732 2676 Okfencna.exe 31 PID 2732 wrote to memory of 2488 2732 Omgaek32.exe 32 PID 2732 wrote to memory of 2488 2732 Omgaek32.exe 32 PID 2732 wrote to memory of 2488 2732 Omgaek32.exe 32 PID 2732 wrote to memory of 2488 2732 Omgaek32.exe 32 PID 2488 wrote to memory of 2504 2488 Ofpfnqjp.exe 33 PID 2488 wrote to memory of 2504 2488 Ofpfnqjp.exe 33 PID 2488 wrote to memory of 2504 2488 Ofpfnqjp.exe 33 PID 2488 wrote to memory of 2504 2488 Ofpfnqjp.exe 33 PID 2504 wrote to memory of 2968 2504 Pminkk32.exe 34 PID 2504 wrote to memory of 2968 2504 Pminkk32.exe 34 PID 2504 wrote to memory of 2968 2504 Pminkk32.exe 34 PID 2504 wrote to memory of 2968 2504 Pminkk32.exe 34 PID 2968 wrote to memory of 2808 2968 Pgobhcac.exe 35 PID 2968 wrote to memory of 2808 2968 Pgobhcac.exe 35 PID 2968 wrote to memory of 2808 2968 Pgobhcac.exe 35 PID 2968 wrote to memory of 2808 2968 Pgobhcac.exe 35 PID 2808 wrote to memory of 2836 2808 Pjmodopf.exe 36 PID 2808 wrote to memory of 2836 2808 Pjmodopf.exe 36 PID 2808 wrote to memory of 2836 2808 Pjmodopf.exe 36 PID 2808 wrote to memory of 2836 2808 Pjmodopf.exe 36 PID 2836 wrote to memory of 832 2836 Ppjglfon.exe 37 PID 2836 wrote to memory of 832 2836 Ppjglfon.exe 37 PID 2836 wrote to memory of 832 2836 Ppjglfon.exe 37 PID 2836 wrote to memory of 832 2836 Ppjglfon.exe 37 PID 832 wrote to memory of 1196 832 Pbiciana.exe 38 PID 832 wrote to memory of 1196 832 Pbiciana.exe 38 PID 832 wrote to memory of 1196 832 Pbiciana.exe 38 PID 832 wrote to memory of 1196 832 Pbiciana.exe 38 PID 1196 wrote to memory of 2688 1196 Pmnhfjmg.exe 39 PID 1196 wrote to memory of 2688 1196 Pmnhfjmg.exe 39 PID 1196 wrote to memory of 2688 1196 Pmnhfjmg.exe 39 PID 1196 wrote to memory of 2688 1196 Pmnhfjmg.exe 39 PID 2688 wrote to memory of 860 2688 Ppmdbe32.exe 40 PID 2688 wrote to memory of 860 2688 Ppmdbe32.exe 40 PID 2688 wrote to memory of 860 2688 Ppmdbe32.exe 40 PID 2688 wrote to memory of 860 2688 Ppmdbe32.exe 40 PID 860 wrote to memory of 2108 860 Peiljl32.exe 41 PID 860 wrote to memory of 2108 860 Peiljl32.exe 41 PID 860 wrote to memory of 2108 860 Peiljl32.exe 41 PID 860 wrote to memory of 2108 860 Peiljl32.exe 41 PID 2108 wrote to memory of 1976 2108 Ppoqge32.exe 42 PID 2108 wrote to memory of 1976 2108 Ppoqge32.exe 42 PID 2108 wrote to memory of 1976 2108 Ppoqge32.exe 42 PID 2108 wrote to memory of 1976 2108 Ppoqge32.exe 42 PID 1976 wrote to memory of 324 1976 Pelipl32.exe 43 PID 1976 wrote to memory of 324 1976 Pelipl32.exe 43 PID 1976 wrote to memory of 324 1976 Pelipl32.exe 43 PID 1976 wrote to memory of 324 1976 Pelipl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\64fc1b1aec0dd63312b499af83a77b30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:452 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe27⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe35⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe36⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe37⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe38⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe39⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe40⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe41⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe44⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe45⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe48⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe49⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe51⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe52⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe57⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe58⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe59⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe60⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe61⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe62⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe63⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe65⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe66⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe67⤵PID:1092
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe68⤵PID:2252
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe69⤵PID:1068
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe70⤵PID:968
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe71⤵PID:2996
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe72⤵PID:896
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe73⤵PID:2524
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe74⤵PID:3044
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe75⤵PID:2636
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe76⤵PID:2576
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe77⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe78⤵PID:2784
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe79⤵PID:1528
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe80⤵PID:2708
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe81⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe82⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe83⤵PID:1872
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe84⤵PID:1340
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe85⤵PID:1560
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe86⤵PID:944
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe87⤵PID:2084
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe88⤵PID:2992
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe89⤵PID:2448
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe90⤵PID:2552
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe91⤵PID:2372
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe92⤵PID:1920
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe93⤵PID:636
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe94⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe95⤵PID:2416
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe96⤵PID:1400
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe97⤵PID:2656
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe98⤵PID:1792
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe100⤵
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe101⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe102⤵PID:1628
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe103⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe105⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe106⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:548 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe109⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe110⤵PID:2988
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe111⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe113⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe114⤵PID:1624
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe115⤵PID:2940
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe117⤵PID:2564
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe118⤵PID:2456
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe119⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe120⤵PID:1568
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-