Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe
-
Size
483KB
-
MD5
cc42f4be651fbe88efe506dba369c650
-
SHA1
4a94a1ffc11a4c53b543b03114dfc652ef077517
-
SHA256
99b08f0fca21a976e401cadb8d3ba678b1a8c64f6a06fb04d5d76d953805ff93
-
SHA512
a7ed5f98e338fea2dc94b093434aadf11035463fded732854204d9b3fce6fce53fc45caf3a8438fc651dbd771997492e861ce74fa3963726f7a3313e6859c9c4
-
SSDEEP
6144:+l/uqE8f9eKlFxM2o5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:+l/5E8YAMIRFbet4OnV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaqmeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melfncqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbmjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkaglf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfagfop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkeimlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahikqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igihbknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkclhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhaqogk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpgfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dookgcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflmci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjilieka.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Oqcnfjli.exe 2600 Oenifh32.exe 3044 Ogmfbd32.exe 2624 Pminkk32.exe 2420 Pfbccp32.exe 2352 Pipopl32.exe 2644 Pmnhfjmg.exe 2788 Plahag32.exe 1500 Pchpbded.exe 2384 Plcdgfbo.exe 1692 Pnbacbac.exe 240 Pelipl32.exe 2880 Plfamfpm.exe 2100 Pndniaop.exe 2244 Qbbfopeg.exe 1040 Qnigda32.exe 1792 Qagcpljo.exe 2368 Qecoqk32.exe 2304 Ahakmf32.exe 2208 Ajphib32.exe 1216 Amndem32.exe 1800 Aajpelhl.exe 776 Adhlaggp.exe 2324 Affhncfc.exe 568 Ampqjm32.exe 2680 Aalmklfi.exe 2732 Adjigg32.exe 2404 Ajdadamj.exe 2184 Ambmpmln.exe 2652 Admemg32.exe 2792 Aenbdoii.exe 1464 Amejeljk.exe 2612 Aoffmd32.exe 2480 Afmonbqk.exe 2248 Boiccdnf.exe 2568 Bagpopmj.exe 788 Bingpmnl.exe 2656 Bhahlj32.exe 1600 Bbflib32.exe 3016 Beehencq.exe 2772 Bloqah32.exe 888 Bkaqmeah.exe 2136 Balijo32.exe 2512 Bdjefj32.exe 2064 Bhfagipa.exe 1972 Bkdmcdoe.exe 1576 Bopicc32.exe 2588 Bnbjopoi.exe 1248 Bpafkknm.exe 2032 Bdlblj32.exe 2260 Bgknheej.exe 848 Bjijdadm.exe 472 Baqbenep.exe 1320 Bpcbqk32.exe 2700 Bcaomf32.exe 608 Cjlgiqbk.exe 2812 Cljcelan.exe 2348 Cpeofk32.exe 2376 Ccdlbf32.exe 960 Cjndop32.exe 2456 Cphlljge.exe 548 Coklgg32.exe 2140 Cgbdhd32.exe 1056 Cfeddafl.exe -
Loads dropped DLL 64 IoCs
pid Process 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 2744 Oqcnfjli.exe 2744 Oqcnfjli.exe 2600 Oenifh32.exe 2600 Oenifh32.exe 3044 Ogmfbd32.exe 3044 Ogmfbd32.exe 2624 Pminkk32.exe 2624 Pminkk32.exe 2420 Pfbccp32.exe 2420 Pfbccp32.exe 2352 Pipopl32.exe 2352 Pipopl32.exe 2644 Pmnhfjmg.exe 2644 Pmnhfjmg.exe 2788 Plahag32.exe 2788 Plahag32.exe 1500 Pchpbded.exe 1500 Pchpbded.exe 2384 Plcdgfbo.exe 2384 Plcdgfbo.exe 1692 Pnbacbac.exe 1692 Pnbacbac.exe 240 Pelipl32.exe 240 Pelipl32.exe 2880 Plfamfpm.exe 2880 Plfamfpm.exe 2100 Pndniaop.exe 2100 Pndniaop.exe 2244 Qbbfopeg.exe 2244 Qbbfopeg.exe 1040 Qnigda32.exe 1040 Qnigda32.exe 1792 Qagcpljo.exe 1792 Qagcpljo.exe 2368 Qecoqk32.exe 2368 Qecoqk32.exe 2304 Ahakmf32.exe 2304 Ahakmf32.exe 2208 Ajphib32.exe 2208 Ajphib32.exe 1216 Amndem32.exe 1216 Amndem32.exe 1800 Aajpelhl.exe 1800 Aajpelhl.exe 776 Adhlaggp.exe 776 Adhlaggp.exe 2324 Affhncfc.exe 2324 Affhncfc.exe 568 Ampqjm32.exe 568 Ampqjm32.exe 2680 Aalmklfi.exe 2680 Aalmklfi.exe 2732 Adjigg32.exe 2732 Adjigg32.exe 2404 Ajdadamj.exe 2404 Ajdadamj.exe 2184 Ambmpmln.exe 2184 Ambmpmln.exe 2652 Admemg32.exe 2652 Admemg32.exe 2792 Aenbdoii.exe 2792 Aenbdoii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Clilkfnb.exe Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File opened for modification C:\Windows\SysWOW64\Qjfhfnim.dll Knklagmb.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Ccdlbf32.exe Cpeofk32.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Pfdjfphi.dll Kmaled32.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Mooaljkh.exe File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe Mpjqiq32.exe File created C:\Windows\SysWOW64\Mjccnjpk.dll Aajpelhl.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fejgko32.exe File created C:\Windows\SysWOW64\Hakphqja.exe Hbhomd32.exe File created C:\Windows\SysWOW64\Ealnephf.exe Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Dcenlceh.exe Dojald32.exe File created C:\Windows\SysWOW64\Hdqbekcm.exe Hpefdl32.exe File opened for modification C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Bgfgbaoo.dll Flgeqgog.exe File created C:\Windows\SysWOW64\Dlfdghbq.dll Lndohedg.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Boiccdnf.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File opened for modification C:\Windows\SysWOW64\Cfgaiaci.exe Cciemedf.exe File created C:\Windows\SysWOW64\Dgodbh32.exe Ddagfm32.exe File created C:\Windows\SysWOW64\Cfmepigc.dll Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Jfiale32.exe Jcjdpj32.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Fbgmbg32.exe Fphafl32.exe File opened for modification C:\Windows\SysWOW64\Iokfhi32.exe Ikpjgkjq.exe File created C:\Windows\SysWOW64\Ijeghgoh.exe Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Jehkodcm.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Ffakeiib.dll Bcaomf32.exe File opened for modification C:\Windows\SysWOW64\Cndbcc32.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Bnpanefm.dll Kaceodek.exe File created C:\Windows\SysWOW64\Fioeja32.dll Ocimgp32.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Jqlhdo32.exe Jmplcp32.exe File opened for modification C:\Windows\SysWOW64\Kcakaipc.exe Kofopj32.exe File created C:\Windows\SysWOW64\Dnneja32.exe Djbiicon.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dfijnd32.exe File created C:\Windows\SysWOW64\Ecmkghcl.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Bllbijej.dll Amkpegnj.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dgaqgh32.exe File created C:\Windows\SysWOW64\Kaaldl32.dll Fepiimfg.exe File opened for modification C:\Windows\SysWOW64\Kmjojo32.exe Kincipnk.exe File created C:\Windows\SysWOW64\Deeieqod.dll Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Geolea32.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Jobjlngg.dll Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Ggeiabkc.dll Ganpomec.exe File created C:\Windows\SysWOW64\Odmfgh32.dll Hhgdkjol.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aehboi32.exe File opened for modification C:\Windows\SysWOW64\Djmicm32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Fncann32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Efppoc32.exe File created C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Jjojofgn.exe Jfcnngnd.exe File created C:\Windows\SysWOW64\Ojahnj32.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Ipgbjl32.exe Illgimph.exe File created C:\Windows\SysWOW64\Idcokkak.exe Ipgbjl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkaippf.dll" Ojcecjee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kjljhjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpmnhglp.dll" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mlcbenjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdamlbjc.dll" Qnigda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifcbodli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaceodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mijfnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll" Ioaifhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhmfm32.dll" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbhnhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll" Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiaak32.dll" Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdcc32.dll" Jkdpanhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2744 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2744 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2744 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2744 2192 cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe 28 PID 2744 wrote to memory of 2600 2744 Oqcnfjli.exe 29 PID 2744 wrote to memory of 2600 2744 Oqcnfjli.exe 29 PID 2744 wrote to memory of 2600 2744 Oqcnfjli.exe 29 PID 2744 wrote to memory of 2600 2744 Oqcnfjli.exe 29 PID 2600 wrote to memory of 3044 2600 Oenifh32.exe 30 PID 2600 wrote to memory of 3044 2600 Oenifh32.exe 30 PID 2600 wrote to memory of 3044 2600 Oenifh32.exe 30 PID 2600 wrote to memory of 3044 2600 Oenifh32.exe 30 PID 3044 wrote to memory of 2624 3044 Ogmfbd32.exe 31 PID 3044 wrote to memory of 2624 3044 Ogmfbd32.exe 31 PID 3044 wrote to memory of 2624 3044 Ogmfbd32.exe 31 PID 3044 wrote to memory of 2624 3044 Ogmfbd32.exe 31 PID 2624 wrote to memory of 2420 2624 Pminkk32.exe 32 PID 2624 wrote to memory of 2420 2624 Pminkk32.exe 32 PID 2624 wrote to memory of 2420 2624 Pminkk32.exe 32 PID 2624 wrote to memory of 2420 2624 Pminkk32.exe 32 PID 2420 wrote to memory of 2352 2420 Pfbccp32.exe 33 PID 2420 wrote to memory of 2352 2420 Pfbccp32.exe 33 PID 2420 wrote to memory of 2352 2420 Pfbccp32.exe 33 PID 2420 wrote to memory of 2352 2420 Pfbccp32.exe 33 PID 2352 wrote to memory of 2644 2352 Pipopl32.exe 34 PID 2352 wrote to memory of 2644 2352 Pipopl32.exe 34 PID 2352 wrote to memory of 2644 2352 Pipopl32.exe 34 PID 2352 wrote to memory of 2644 2352 Pipopl32.exe 34 PID 2644 wrote to memory of 2788 2644 Pmnhfjmg.exe 35 PID 2644 wrote to memory of 2788 2644 Pmnhfjmg.exe 35 PID 2644 wrote to memory of 2788 2644 Pmnhfjmg.exe 35 PID 2644 wrote to memory of 2788 2644 Pmnhfjmg.exe 35 PID 2788 wrote to memory of 1500 2788 Plahag32.exe 36 PID 2788 wrote to memory of 1500 2788 Plahag32.exe 36 PID 2788 wrote to memory of 1500 2788 Plahag32.exe 36 PID 2788 wrote to memory of 1500 2788 Plahag32.exe 36 PID 1500 wrote to memory of 2384 1500 Pchpbded.exe 37 PID 1500 wrote to memory of 2384 1500 Pchpbded.exe 37 PID 1500 wrote to memory of 2384 1500 Pchpbded.exe 37 PID 1500 wrote to memory of 2384 1500 Pchpbded.exe 37 PID 2384 wrote to memory of 1692 2384 Plcdgfbo.exe 38 PID 2384 wrote to memory of 1692 2384 Plcdgfbo.exe 38 PID 2384 wrote to memory of 1692 2384 Plcdgfbo.exe 38 PID 2384 wrote to memory of 1692 2384 Plcdgfbo.exe 38 PID 1692 wrote to memory of 240 1692 Pnbacbac.exe 39 PID 1692 wrote to memory of 240 1692 Pnbacbac.exe 39 PID 1692 wrote to memory of 240 1692 Pnbacbac.exe 39 PID 1692 wrote to memory of 240 1692 Pnbacbac.exe 39 PID 240 wrote to memory of 2880 240 Pelipl32.exe 40 PID 240 wrote to memory of 2880 240 Pelipl32.exe 40 PID 240 wrote to memory of 2880 240 Pelipl32.exe 40 PID 240 wrote to memory of 2880 240 Pelipl32.exe 40 PID 2880 wrote to memory of 2100 2880 Plfamfpm.exe 41 PID 2880 wrote to memory of 2100 2880 Plfamfpm.exe 41 PID 2880 wrote to memory of 2100 2880 Plfamfpm.exe 41 PID 2880 wrote to memory of 2100 2880 Plfamfpm.exe 41 PID 2100 wrote to memory of 2244 2100 Pndniaop.exe 42 PID 2100 wrote to memory of 2244 2100 Pndniaop.exe 42 PID 2100 wrote to memory of 2244 2100 Pndniaop.exe 42 PID 2100 wrote to memory of 2244 2100 Pndniaop.exe 42 PID 2244 wrote to memory of 1040 2244 Qbbfopeg.exe 43 PID 2244 wrote to memory of 1040 2244 Qbbfopeg.exe 43 PID 2244 wrote to memory of 1040 2244 Qbbfopeg.exe 43 PID 2244 wrote to memory of 1040 2244 Qbbfopeg.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cc42f4be651fbe88efe506dba369c650_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe33⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe38⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe39⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe42⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe44⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe45⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe47⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe48⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe51⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe52⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe53⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe54⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe58⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe60⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe61⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe62⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe63⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe64⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe66⤵PID:1684
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe67⤵PID:552
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe68⤵PID:2468
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe69⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe70⤵PID:2892
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe71⤵PID:2768
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe72⤵PID:2572
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe73⤵PID:2288
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe74⤵PID:612
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe75⤵PID:1220
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe76⤵PID:1032
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe78⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe79⤵PID:1728
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe80⤵PID:2076
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe81⤵PID:2252
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe82⤵PID:2828
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe83⤵PID:1900
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe84⤵PID:1912
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe85⤵PID:2728
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe86⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe87⤵PID:600
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:384 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe89⤵PID:2156
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe90⤵PID:2472
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe91⤵
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe92⤵PID:2552
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe93⤵PID:1616
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe94⤵PID:1560
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe95⤵PID:2916
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe96⤵PID:2952
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe97⤵PID:3060
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe98⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe99⤵PID:1124
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe100⤵PID:2708
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe101⤵PID:2388
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe102⤵PID:1296
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe104⤵PID:2444
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe106⤵PID:2756
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe107⤵PID:1516
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe108⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe109⤵PID:2484
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe110⤵PID:2832
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe111⤵PID:2380
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe112⤵PID:1928
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe113⤵PID:2636
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe115⤵PID:1756
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe116⤵PID:2264
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe117⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe118⤵PID:2640
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe119⤵PID:2196
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe120⤵PID:2152
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe121⤵PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-