Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 02:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
82599b300c6362dc1b566e6e11362ef0
-
SHA1
957aaa404f6d2aebb542d1183176cb89db2a8d47
-
SHA256
411932587585e1b16cd9b22472419c062f0c85ae6080ba5621edb508c1a4d3bc
-
SHA512
4caac91b8a1eaeeed0f3820dc4c4ada2253a208811f097d420e8950bcb9e469cf1f3aec9a000ed254f0b6d28ce2665fd4e2c91de5a76bca56a3de7553d6a1a77
-
SSDEEP
1536:r2a3QW6LY4/O3OpMjEk+LIHjD7OmArlhq5a:rZY23O9k+KjPOQa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkeelohh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obigjnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdjje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdhbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Banepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qljkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngfih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oghlgdgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdpanhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngfcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgfjbgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1752 Naikkk32.exe 2560 Ngfcca32.exe 2584 Nnplpl32.exe 2872 Npnhlg32.exe 2640 Nghphaeo.exe 2644 Njgldmdc.exe 2556 Nqqdag32.exe 2188 Ngkmnacm.exe 1220 Nhlifi32.exe 2368 Nqcagfim.exe 1720 Ncancbha.exe 2784 Njkfpl32.exe 1664 Nmjblg32.exe 2228 Nohnhc32.exe 2156 Ofbfdmeb.exe 2096 Ohqbqhde.exe 1336 Okoomd32.exe 2836 Onmkio32.exe 2240 Obigjnkf.exe 2452 Oicpfh32.exe 1668 Ogfpbeim.exe 1552 Onphoo32.exe 1452 Obkdonic.exe 1192 Oghlgdgk.exe 2112 Okchhc32.exe 1604 Ojficpfn.exe 2264 Oelmai32.exe 2684 Ondajnme.exe 2632 Oqcnfjli.exe 2720 Ocajbekl.exe 2652 Ofpfnqjp.exe 2952 Paejki32.exe 2960 Pphjgfqq.exe 840 Pjmodopf.exe 1996 Pmlkpjpj.exe 1268 Pcfcmd32.exe 1272 Pfdpip32.exe 1612 Piblek32.exe 2120 Plahag32.exe 2284 Pbkpna32.exe 2332 Peiljl32.exe 1020 Pmqdkj32.exe 1328 Pnbacbac.exe 1332 Pelipl32.exe 2448 Phjelg32.exe 2892 Plfamfpm.exe 1828 Ppamme32.exe 1296 Pabjem32.exe 2864 Pijbfj32.exe 2944 Qnfjna32.exe 2620 Qaefjm32.exe 2884 Qdccfh32.exe 2488 Qljkhe32.exe 2668 Qjmkcbcb.exe 1956 Qnigda32.exe 2204 Qagcpljo.exe 1900 Qecoqk32.exe 1680 Adeplhib.exe 948 Ajphib32.exe 2580 Ankdiqih.exe 2768 Amndem32.exe 1520 Aajpelhl.exe 2308 Aplpai32.exe 776 Ahchbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 1752 Naikkk32.exe 1752 Naikkk32.exe 2560 Ngfcca32.exe 2560 Ngfcca32.exe 2584 Nnplpl32.exe 2584 Nnplpl32.exe 2872 Npnhlg32.exe 2872 Npnhlg32.exe 2640 Nghphaeo.exe 2640 Nghphaeo.exe 2644 Njgldmdc.exe 2644 Njgldmdc.exe 2556 Nqqdag32.exe 2556 Nqqdag32.exe 2188 Ngkmnacm.exe 2188 Ngkmnacm.exe 1220 Nhlifi32.exe 1220 Nhlifi32.exe 2368 Nqcagfim.exe 2368 Nqcagfim.exe 1720 Ncancbha.exe 1720 Ncancbha.exe 2784 Njkfpl32.exe 2784 Njkfpl32.exe 1664 Nmjblg32.exe 1664 Nmjblg32.exe 2228 Nohnhc32.exe 2228 Nohnhc32.exe 2156 Ofbfdmeb.exe 2156 Ofbfdmeb.exe 2096 Ohqbqhde.exe 2096 Ohqbqhde.exe 1336 Okoomd32.exe 1336 Okoomd32.exe 2836 Onmkio32.exe 2836 Onmkio32.exe 2240 Obigjnkf.exe 2240 Obigjnkf.exe 2452 Oicpfh32.exe 2452 Oicpfh32.exe 1668 Ogfpbeim.exe 1668 Ogfpbeim.exe 1552 Onphoo32.exe 1552 Onphoo32.exe 1452 Obkdonic.exe 1452 Obkdonic.exe 1192 Oghlgdgk.exe 1192 Oghlgdgk.exe 2112 Okchhc32.exe 2112 Okchhc32.exe 1604 Ojficpfn.exe 1604 Ojficpfn.exe 2264 Oelmai32.exe 2264 Oelmai32.exe 2684 Ondajnme.exe 2684 Ondajnme.exe 2632 Oqcnfjli.exe 2632 Oqcnfjli.exe 2720 Ocajbekl.exe 2720 Ocajbekl.exe 2652 Ofpfnqjp.exe 2652 Ofpfnqjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmloladn.dll Flabbihl.exe File created C:\Windows\SysWOW64\Ongdpbkl.dll Ikpjgkjq.exe File created C:\Windows\SysWOW64\Qedhdjnh.exe Qfahhm32.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Caknol32.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Lpphap32.exe Kifpdelo.exe File created C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hodpgjha.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Dhpiojfb.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File opened for modification C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Ahcfok32.dll Dbehoa32.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Gieojq32.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File created C:\Windows\SysWOW64\Iblpjdpk.exe Inqcif32.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Anafhopc.exe File created C:\Windows\SysWOW64\Iigpciig.dll Naajoinb.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Gldkfl32.exe Gieojq32.exe File created C:\Windows\SysWOW64\Bpiipf32.exe Bafidiio.exe File created C:\Windows\SysWOW64\Fpgiom32.dll Bbhela32.exe File opened for modification C:\Windows\SysWOW64\Jbllihbf.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Ofhick32.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Ogdafiei.dll Ppbfpd32.exe File created C:\Windows\SysWOW64\Bafidiio.exe Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Pabjem32.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Emeopn32.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Kcdnao32.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File opened for modification C:\Windows\SysWOW64\Ecpgmhai.exe Epdkli32.exe File created C:\Windows\SysWOW64\Emhlfmgj.exe Eeqdep32.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Loeebl32.exe Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Okikfagn.exe Oikojfgk.exe File created C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File created C:\Windows\SysWOW64\Bkodhe32.exe Bhahlj32.exe File opened for modification C:\Windows\SysWOW64\Ihankokm.exe Ifcbodli.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Mdmmfa32.exe Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Gonnhhln.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File created C:\Windows\SysWOW64\Nceclqan.exe Ndbcpd32.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cahail32.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe Npdjje32.exe File created C:\Windows\SysWOW64\Nmlnnp32.dll Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Ofmbnkhg.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Alegac32.exe Adnopfoj.exe File opened for modification C:\Windows\SysWOW64\Pphjgfqq.exe Paejki32.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Ngkmnacm.exe Nqqdag32.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Jjpbahga.dll Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Pamiog32.exe Pnomcl32.exe File created C:\Windows\SysWOW64\Mmnclh32.dll Dkqbaecc.exe File created C:\Windows\SysWOW64\Ddagfm32.exe Dngoibmo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6444 6400 WerFault.exe 656 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmcnehn.dll" Idmhkpml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kngfih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkncmmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bppoqeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeeodef.dll" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoacn32.dll" Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npfgpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Logbhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpdjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpipp32.dll" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghmhi32.dll" Ndkmpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Banepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojgnpb.dll" Affhncfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpghahi.dll" Dhjgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfenbpec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baakhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oicpfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbpkign.dll" Jgnamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqamandk.dll" Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll" Cpnojioo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifpn32.dll" Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofjfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pelipl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1752 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 1752 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 1752 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 1752 2012 82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2560 1752 Naikkk32.exe 29 PID 1752 wrote to memory of 2560 1752 Naikkk32.exe 29 PID 1752 wrote to memory of 2560 1752 Naikkk32.exe 29 PID 1752 wrote to memory of 2560 1752 Naikkk32.exe 29 PID 2560 wrote to memory of 2584 2560 Ngfcca32.exe 30 PID 2560 wrote to memory of 2584 2560 Ngfcca32.exe 30 PID 2560 wrote to memory of 2584 2560 Ngfcca32.exe 30 PID 2560 wrote to memory of 2584 2560 Ngfcca32.exe 30 PID 2584 wrote to memory of 2872 2584 Nnplpl32.exe 31 PID 2584 wrote to memory of 2872 2584 Nnplpl32.exe 31 PID 2584 wrote to memory of 2872 2584 Nnplpl32.exe 31 PID 2584 wrote to memory of 2872 2584 Nnplpl32.exe 31 PID 2872 wrote to memory of 2640 2872 Npnhlg32.exe 32 PID 2872 wrote to memory of 2640 2872 Npnhlg32.exe 32 PID 2872 wrote to memory of 2640 2872 Npnhlg32.exe 32 PID 2872 wrote to memory of 2640 2872 Npnhlg32.exe 32 PID 2640 wrote to memory of 2644 2640 Nghphaeo.exe 33 PID 2640 wrote to memory of 2644 2640 Nghphaeo.exe 33 PID 2640 wrote to memory of 2644 2640 Nghphaeo.exe 33 PID 2640 wrote to memory of 2644 2640 Nghphaeo.exe 33 PID 2644 wrote to memory of 2556 2644 Njgldmdc.exe 34 PID 2644 wrote to memory of 2556 2644 Njgldmdc.exe 34 PID 2644 wrote to memory of 2556 2644 Njgldmdc.exe 34 PID 2644 wrote to memory of 2556 2644 Njgldmdc.exe 34 PID 2556 wrote to memory of 2188 2556 Nqqdag32.exe 35 PID 2556 wrote to memory of 2188 2556 Nqqdag32.exe 35 PID 2556 wrote to memory of 2188 2556 Nqqdag32.exe 35 PID 2556 wrote to memory of 2188 2556 Nqqdag32.exe 35 PID 2188 wrote to memory of 1220 2188 Ngkmnacm.exe 36 PID 2188 wrote to memory of 1220 2188 Ngkmnacm.exe 36 PID 2188 wrote to memory of 1220 2188 Ngkmnacm.exe 36 PID 2188 wrote to memory of 1220 2188 Ngkmnacm.exe 36 PID 1220 wrote to memory of 2368 1220 Nhlifi32.exe 37 PID 1220 wrote to memory of 2368 1220 Nhlifi32.exe 37 PID 1220 wrote to memory of 2368 1220 Nhlifi32.exe 37 PID 1220 wrote to memory of 2368 1220 Nhlifi32.exe 37 PID 2368 wrote to memory of 1720 2368 Nqcagfim.exe 38 PID 2368 wrote to memory of 1720 2368 Nqcagfim.exe 38 PID 2368 wrote to memory of 1720 2368 Nqcagfim.exe 38 PID 2368 wrote to memory of 1720 2368 Nqcagfim.exe 38 PID 1720 wrote to memory of 2784 1720 Ncancbha.exe 39 PID 1720 wrote to memory of 2784 1720 Ncancbha.exe 39 PID 1720 wrote to memory of 2784 1720 Ncancbha.exe 39 PID 1720 wrote to memory of 2784 1720 Ncancbha.exe 39 PID 2784 wrote to memory of 1664 2784 Njkfpl32.exe 40 PID 2784 wrote to memory of 1664 2784 Njkfpl32.exe 40 PID 2784 wrote to memory of 1664 2784 Njkfpl32.exe 40 PID 2784 wrote to memory of 1664 2784 Njkfpl32.exe 40 PID 1664 wrote to memory of 2228 1664 Nmjblg32.exe 41 PID 1664 wrote to memory of 2228 1664 Nmjblg32.exe 41 PID 1664 wrote to memory of 2228 1664 Nmjblg32.exe 41 PID 1664 wrote to memory of 2228 1664 Nmjblg32.exe 41 PID 2228 wrote to memory of 2156 2228 Nohnhc32.exe 42 PID 2228 wrote to memory of 2156 2228 Nohnhc32.exe 42 PID 2228 wrote to memory of 2156 2228 Nohnhc32.exe 42 PID 2228 wrote to memory of 2156 2228 Nohnhc32.exe 42 PID 2156 wrote to memory of 2096 2156 Ofbfdmeb.exe 43 PID 2156 wrote to memory of 2096 2156 Ofbfdmeb.exe 43 PID 2156 wrote to memory of 2096 2156 Ofbfdmeb.exe 43 PID 2156 wrote to memory of 2096 2156 Ofbfdmeb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\82599b300c6362dc1b566e6e11362ef0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe35⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe36⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe37⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe38⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe39⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe40⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe42⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe44⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe46⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe47⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe48⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe50⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe55⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe56⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe57⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe59⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe60⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe61⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe62⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe63⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe65⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe66⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe67⤵PID:3036
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe68⤵PID:1540
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe69⤵PID:1108
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe70⤵PID:1196
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe71⤵PID:2220
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:820 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe73⤵PID:3040
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe75⤵PID:2740
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe76⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe77⤵PID:2956
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe78⤵PID:956
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe81⤵PID:2104
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe82⤵PID:1400
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe83⤵PID:1976
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe84⤵PID:2320
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe85⤵PID:2388
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe86⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe87⤵PID:2628
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe88⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe89⤵PID:2968
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe90⤵PID:1580
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe91⤵PID:1896
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe92⤵PID:1524
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe93⤵PID:2336
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe94⤵PID:584
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe95⤵PID:660
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe96⤵PID:980
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe97⤵PID:1184
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe100⤵PID:2712
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe101⤵PID:1164
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe102⤵PID:2572
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe103⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe104⤵PID:628
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe105⤵PID:1712
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe106⤵PID:1656
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe107⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe108⤵PID:1876
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe110⤵PID:1120
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe112⤵PID:2140
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe113⤵PID:2524
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe114⤵PID:2496
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe115⤵PID:1260
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe116⤵PID:848
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe117⤵PID:1448
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe118⤵PID:2972
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe119⤵PID:852
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe120⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe121⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-