Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 23:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe
-
Size
96KB
-
MD5
370cf113036895c06a8e88c81f0ea510
-
SHA1
67452f824b00587978ed12847e2c404576733efe
-
SHA256
2d3998cba76d53822ba7e0cee9c9a81199ffb2079dae665eaffef6e288e97b8b
-
SHA512
3b91f67ae94698f6edc770fd94db4e73e2418b665d7535704f2a79a293934286113a1d30876ab3db50f626f805c00b043ac39d50efe089144b178c0f345ec7a9
-
SSDEEP
1536:mK2J+v9Y9OKnc30hWCC7z7nM+zegHt5a3dIDglDs0dduV9jojTIvjrH:n24v96cgVaZDglDxdd69jc0vf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkkdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnhbjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baqbenep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odoloalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2968 Llqcfe32.exe 2648 Mcjkcplm.exe 2504 Meigpkka.exe 2548 Midcpj32.exe 2372 Mpolmdkg.exe 2888 Moalhq32.exe 1944 Mcmhiojk.exe 2788 Mekdekin.exe 288 Mhjpaf32.exe 2332 Mkhmma32.exe 2256 Mochnppo.exe 1512 Mabejlob.exe 2776 Menakj32.exe 2884 Mhlmgf32.exe 2356 Mkjica32.exe 2828 Mnieom32.exe 596 Madapkmp.exe 2744 Mhnjle32.exe 1468 Mkmfhacp.exe 852 Mohbip32.exe 2960 Mnkbdlbd.exe 2000 Mpjoqhah.exe 2316 Mhqfbebj.exe 1580 Mgcgmb32.exe 3068 Mkobnqan.exe 1292 Njbcim32.exe 2020 Nplkfgoe.exe 2680 Ncjgbcoi.exe 2436 Ngfcca32.exe 2904 Njdpomfe.exe 2696 Npnhlg32.exe 2684 Ndjdlffl.exe 1972 Nfkpdn32.exe 2892 Nnbhek32.exe 1872 Nqqdag32.exe 1708 Nocemcbj.exe 1908 Ngkmnacm.exe 2716 Njiijlbp.exe 2540 Nhlifi32.exe 592 Nlgefh32.exe 1360 Ncancbha.exe 1752 Nfpjomgd.exe 2044 Nhnfkigh.exe 540 Nmjblg32.exe 1460 Nccjhafn.exe 240 Odegpj32.exe 2948 Ohqbqhde.exe 1508 Oojknblb.exe 2832 Oojknblb.exe 2368 Obigjnkf.exe 1876 Ofdcjm32.exe 2392 Ogfpbeim.exe 1220 Oomhcbjp.exe 2732 Obkdonic.exe 2152 Oqndkj32.exe 2172 Odjpkihg.exe 1964 Oiellh32.exe 2192 Okchhc32.exe 1316 Ojficpfn.exe 1464 Onbddoog.exe 1200 Oqqapjnk.exe 2512 Oelmai32.exe 2196 Ogjimd32.exe 1596 Okfencna.exe -
Loads dropped DLL 64 IoCs
pid Process 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 2968 Llqcfe32.exe 2968 Llqcfe32.exe 2648 Mcjkcplm.exe 2648 Mcjkcplm.exe 2504 Meigpkka.exe 2504 Meigpkka.exe 2548 Midcpj32.exe 2548 Midcpj32.exe 2372 Mpolmdkg.exe 2372 Mpolmdkg.exe 2888 Moalhq32.exe 2888 Moalhq32.exe 1944 Mcmhiojk.exe 1944 Mcmhiojk.exe 2788 Mekdekin.exe 2788 Mekdekin.exe 288 Mhjpaf32.exe 288 Mhjpaf32.exe 2332 Mkhmma32.exe 2332 Mkhmma32.exe 2256 Mochnppo.exe 2256 Mochnppo.exe 1512 Mabejlob.exe 1512 Mabejlob.exe 2776 Menakj32.exe 2776 Menakj32.exe 2884 Mhlmgf32.exe 2884 Mhlmgf32.exe 2356 Mkjica32.exe 2356 Mkjica32.exe 2828 Mnieom32.exe 2828 Mnieom32.exe 596 Madapkmp.exe 596 Madapkmp.exe 2744 Mhnjle32.exe 2744 Mhnjle32.exe 1468 Mkmfhacp.exe 1468 Mkmfhacp.exe 852 Mohbip32.exe 852 Mohbip32.exe 2960 Mnkbdlbd.exe 2960 Mnkbdlbd.exe 2000 Mpjoqhah.exe 2000 Mpjoqhah.exe 2316 Mhqfbebj.exe 2316 Mhqfbebj.exe 1580 Mgcgmb32.exe 1580 Mgcgmb32.exe 3068 Mkobnqan.exe 3068 Mkobnqan.exe 1292 Njbcim32.exe 1292 Njbcim32.exe 2020 Nplkfgoe.exe 2020 Nplkfgoe.exe 2680 Ncjgbcoi.exe 2680 Ncjgbcoi.exe 2436 Ngfcca32.exe 2436 Ngfcca32.exe 2904 Njdpomfe.exe 2904 Njdpomfe.exe 2696 Npnhlg32.exe 2696 Npnhlg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe File created C:\Windows\SysWOW64\Omdneebf.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Kpclqkhh.dll Process not Found File created C:\Windows\SysWOW64\Chemfl32.exe Comimg32.exe File opened for modification C:\Windows\SysWOW64\Hlafnbal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nnoiio32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jbefcm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cnejim32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Moalhq32.exe Mpolmdkg.exe File created C:\Windows\SysWOW64\Plcdgfbo.exe Pmqdkj32.exe File created C:\Windows\SysWOW64\Moiklogi.exe Moiklogi.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Eqgnokip.exe File opened for modification C:\Windows\SysWOW64\Fikejl32.exe Fepiimfg.exe File opened for modification C:\Windows\SysWOW64\Hmjlhfof.exe Process not Found File created C:\Windows\SysWOW64\Gdgphd32.dll Flgeqgog.exe File created C:\Windows\SysWOW64\Bbpiog32.dll Process not Found File created C:\Windows\SysWOW64\Khkbbc32.exe Process not Found File created C:\Windows\SysWOW64\Jgifkl32.dll Process not Found File created C:\Windows\SysWOW64\Jhgkeald.dll Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Gcheib32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ajqljc32.exe Process not Found File created C:\Windows\SysWOW64\Hjfdcidn.dll Process not Found File created C:\Windows\SysWOW64\Ndjdlffl.exe Npnhlg32.exe File created C:\Windows\SysWOW64\Ojfaijcc.exe Ofjfhk32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File opened for modification C:\Windows\SysWOW64\Flhmfbim.exe Process not Found File created C:\Windows\SysWOW64\Jabponba.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hbiaemkk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbpbgk32.exe Process not Found File created C:\Windows\SysWOW64\Kpkofpgq.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Jmogdj32.dll Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Edcnakpa.exe Process not Found File created C:\Windows\SysWOW64\Fkdqjn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lbcnhjnj.exe Lliflp32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Llnaoh32.exe Process not Found File created C:\Windows\SysWOW64\Gbccnjjb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dboeco32.exe Process not Found File created C:\Windows\SysWOW64\Dehdbhgg.dll Process not Found File created C:\Windows\SysWOW64\Pmbdhi32.dll Bdgafdfp.exe File created C:\Windows\SysWOW64\Cldooj32.exe Cjfccn32.exe File created C:\Windows\SysWOW64\Lokgcf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Process not Found File created C:\Windows\SysWOW64\Ppopja32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Beadgdli.exe Process not Found File created C:\Windows\SysWOW64\Gkkgcp32.dll Bdlblj32.exe File created C:\Windows\SysWOW64\Odlojanh.exe Onbgmg32.exe File created C:\Windows\SysWOW64\Mlpneh32.exe Process not Found File created C:\Windows\SysWOW64\Hlfplena.dll Process not Found File created C:\Windows\SysWOW64\Hahnac32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ghdiokbq.exe Process not Found File created C:\Windows\SysWOW64\Ihlnih32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jjomgo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Process not Found File created C:\Windows\SysWOW64\Ijehdl32.exe Process not Found File created C:\Windows\SysWOW64\Aehboi32.exe Abjebn32.exe File created C:\Windows\SysWOW64\Pddnnp32.exe Process not Found File created C:\Windows\SysWOW64\Golnjpio.dll Process not Found File created C:\Windows\SysWOW64\Bgaebe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oaigib32.exe Process not Found File created C:\Windows\SysWOW64\Mlmoilni.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 5896 5932 Process not Found 3329 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Flabbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfclkmib.dll" Ekknjcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiacg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djidckbd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffkcfke.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgkhnpd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpebakpc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabfljee.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll" Liplnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algdlcdm.dll" Gjakmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbmqhd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijikd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egglkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaooko32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dociji32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebblmoe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghmkjedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkgnjmo.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2968 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2968 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2968 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2968 2040 370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2648 2968 Llqcfe32.exe 29 PID 2968 wrote to memory of 2648 2968 Llqcfe32.exe 29 PID 2968 wrote to memory of 2648 2968 Llqcfe32.exe 29 PID 2968 wrote to memory of 2648 2968 Llqcfe32.exe 29 PID 2648 wrote to memory of 2504 2648 Mcjkcplm.exe 30 PID 2648 wrote to memory of 2504 2648 Mcjkcplm.exe 30 PID 2648 wrote to memory of 2504 2648 Mcjkcplm.exe 30 PID 2648 wrote to memory of 2504 2648 Mcjkcplm.exe 30 PID 2504 wrote to memory of 2548 2504 Meigpkka.exe 31 PID 2504 wrote to memory of 2548 2504 Meigpkka.exe 31 PID 2504 wrote to memory of 2548 2504 Meigpkka.exe 31 PID 2504 wrote to memory of 2548 2504 Meigpkka.exe 31 PID 2548 wrote to memory of 2372 2548 Midcpj32.exe 32 PID 2548 wrote to memory of 2372 2548 Midcpj32.exe 32 PID 2548 wrote to memory of 2372 2548 Midcpj32.exe 32 PID 2548 wrote to memory of 2372 2548 Midcpj32.exe 32 PID 2372 wrote to memory of 2888 2372 Mpolmdkg.exe 33 PID 2372 wrote to memory of 2888 2372 Mpolmdkg.exe 33 PID 2372 wrote to memory of 2888 2372 Mpolmdkg.exe 33 PID 2372 wrote to memory of 2888 2372 Mpolmdkg.exe 33 PID 2888 wrote to memory of 1944 2888 Moalhq32.exe 34 PID 2888 wrote to memory of 1944 2888 Moalhq32.exe 34 PID 2888 wrote to memory of 1944 2888 Moalhq32.exe 34 PID 2888 wrote to memory of 1944 2888 Moalhq32.exe 34 PID 1944 wrote to memory of 2788 1944 Mcmhiojk.exe 35 PID 1944 wrote to memory of 2788 1944 Mcmhiojk.exe 35 PID 1944 wrote to memory of 2788 1944 Mcmhiojk.exe 35 PID 1944 wrote to memory of 2788 1944 Mcmhiojk.exe 35 PID 2788 wrote to memory of 288 2788 Mekdekin.exe 36 PID 2788 wrote to memory of 288 2788 Mekdekin.exe 36 PID 2788 wrote to memory of 288 2788 Mekdekin.exe 36 PID 2788 wrote to memory of 288 2788 Mekdekin.exe 36 PID 288 wrote to memory of 2332 288 Mhjpaf32.exe 37 PID 288 wrote to memory of 2332 288 Mhjpaf32.exe 37 PID 288 wrote to memory of 2332 288 Mhjpaf32.exe 37 PID 288 wrote to memory of 2332 288 Mhjpaf32.exe 37 PID 2332 wrote to memory of 2256 2332 Mkhmma32.exe 38 PID 2332 wrote to memory of 2256 2332 Mkhmma32.exe 38 PID 2332 wrote to memory of 2256 2332 Mkhmma32.exe 38 PID 2332 wrote to memory of 2256 2332 Mkhmma32.exe 38 PID 2256 wrote to memory of 1512 2256 Mochnppo.exe 39 PID 2256 wrote to memory of 1512 2256 Mochnppo.exe 39 PID 2256 wrote to memory of 1512 2256 Mochnppo.exe 39 PID 2256 wrote to memory of 1512 2256 Mochnppo.exe 39 PID 1512 wrote to memory of 2776 1512 Mabejlob.exe 40 PID 1512 wrote to memory of 2776 1512 Mabejlob.exe 40 PID 1512 wrote to memory of 2776 1512 Mabejlob.exe 40 PID 1512 wrote to memory of 2776 1512 Mabejlob.exe 40 PID 2776 wrote to memory of 2884 2776 Menakj32.exe 41 PID 2776 wrote to memory of 2884 2776 Menakj32.exe 41 PID 2776 wrote to memory of 2884 2776 Menakj32.exe 41 PID 2776 wrote to memory of 2884 2776 Menakj32.exe 41 PID 2884 wrote to memory of 2356 2884 Mhlmgf32.exe 42 PID 2884 wrote to memory of 2356 2884 Mhlmgf32.exe 42 PID 2884 wrote to memory of 2356 2884 Mhlmgf32.exe 42 PID 2884 wrote to memory of 2356 2884 Mhlmgf32.exe 42 PID 2356 wrote to memory of 2828 2356 Mkjica32.exe 43 PID 2356 wrote to memory of 2828 2356 Mkjica32.exe 43 PID 2356 wrote to memory of 2828 2356 Mkjica32.exe 43 PID 2356 wrote to memory of 2828 2356 Mkjica32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\370cf113036895c06a8e88c81f0ea510_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe34⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe35⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe36⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe37⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe38⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe39⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe40⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe41⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe42⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe43⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe44⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe45⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe46⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe47⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe48⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe49⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe51⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe52⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe54⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe55⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe56⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe57⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe58⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe59⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe60⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe61⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe62⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe63⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe65⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe66⤵PID:3020
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe67⤵PID:2992
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe68⤵PID:2916
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe69⤵PID:2564
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe70⤵PID:1884
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe71⤵PID:2396
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe72⤵PID:1768
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe73⤵PID:2268
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe74⤵PID:1476
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe75⤵PID:2208
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe76⤵PID:472
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe77⤵PID:1764
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe78⤵PID:1688
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe79⤵PID:2496
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe80⤵PID:2212
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe81⤵PID:1860
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe82⤵PID:2792
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe83⤵PID:1900
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe84⤵PID:2588
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe86⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe87⤵PID:2292
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe89⤵PID:2100
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe90⤵PID:2672
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe91⤵PID:724
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe92⤵PID:2228
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe93⤵PID:1500
-
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe94⤵PID:1052
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe95⤵PID:2628
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe96⤵PID:2428
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe97⤵PID:1160
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe98⤵PID:2656
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe99⤵PID:2384
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe100⤵PID:2036
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe101⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe103⤵PID:1940
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe104⤵PID:292
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe105⤵PID:1804
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe106⤵PID:2068
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe107⤵PID:2676
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe108⤵PID:920
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe109⤵PID:1920
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe111⤵PID:2156
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe112⤵PID:1484
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe113⤵PID:2448
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe114⤵PID:1376
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe115⤵PID:276
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe116⤵PID:1644
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe117⤵PID:1880
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe118⤵PID:2568
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe119⤵PID:2636
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe120⤵PID:812
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-