Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 02:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe
-
Size
78KB
-
MD5
3b333d87fb0ddda3161a424c088b08c0
-
SHA1
90f6bd5835750e6c5958ed0d5c4d542f98b9a093
-
SHA256
eb44127663e2334702348aaa6dab69039b887106c8efd8ec38097f6ffa102e44
-
SHA512
7cb3b03f6ba0483c9b3494865c9f2c74452a64ae4bf0c36be9803a44453af96b194062c923822e3b5de4ea4ccdec974817d92ec498a0a641d2627e2734bbc009
-
SSDEEP
1536:RCG5ZidXJDAIhhnUIvHvizgkIggsJVHcbns:RCVdXJDAIh2wOgogsDes
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niikceid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnnha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpgggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpofbjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geolea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfoqmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpgio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocalkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnfbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apajlhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmhepko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2244 Oqqapjnk.exe 1388 Ojieip32.exe 2860 Oenifh32.exe 1704 Ongnonkb.exe 2600 Pphjgfqq.exe 2584 Pgobhcac.exe 1824 Pipopl32.exe 2752 Pcfcmd32.exe 2304 Pfdpip32.exe 1384 Pmnhfjmg.exe 1180 Plahag32.exe 2748 Peiljl32.exe 1676 Ppoqge32.exe 2132 Pfiidobe.exe 1604 Plfamfpm.exe 560 Qlhnbf32.exe 1428 Qnfjna32.exe 1544 Qdccfh32.exe 1212 Qljkhe32.exe 1292 Qecoqk32.exe 748 Ahakmf32.exe 1936 Ankdiqih.exe 1224 Aajpelhl.exe 336 Aplpai32.exe 2272 Aiedjneg.exe 2680 Aalmklfi.exe 2724 Adjigg32.exe 2688 Aigaon32.exe 2792 Apajlhka.exe 2604 Admemg32.exe 2648 Aenbdoii.exe 2948 Apcfahio.exe 2424 Afmonbqk.exe 2020 Ailkjmpo.exe 812 Bpfcgg32.exe 2352 Bokphdld.exe 756 Bdhhqk32.exe 2124 Bommnc32.exe 2756 Balijo32.exe 2212 Begeknan.exe 576 Bhfagipa.exe 1492 Bkdmcdoe.exe 2024 Bopicc32.exe 848 Bpafkknm.exe 1628 Bdlblj32.exe 1808 Bgknheej.exe 1916 Bkfjhd32.exe 1708 Bnefdp32.exe 3028 Baqbenep.exe 2844 Bdooajdc.exe 2812 Cgmkmecg.exe 2596 Ckignd32.exe 2628 Cngcjo32.exe 1576 Cljcelan.exe 2440 Cpeofk32.exe 2520 Ccdlbf32.exe 664 Cgpgce32.exe 2772 Cjndop32.exe 2612 Cllpkl32.exe 2056 Coklgg32.exe 3008 Ccfhhffh.exe 380 Cjpqdp32.exe 484 Chcqpmep.exe 2360 Clomqk32.exe -
Loads dropped DLL 64 IoCs
pid Process 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 2244 Oqqapjnk.exe 2244 Oqqapjnk.exe 1388 Ojieip32.exe 1388 Ojieip32.exe 2860 Oenifh32.exe 2860 Oenifh32.exe 1704 Ongnonkb.exe 1704 Ongnonkb.exe 2600 Pphjgfqq.exe 2600 Pphjgfqq.exe 2584 Pgobhcac.exe 2584 Pgobhcac.exe 1824 Pipopl32.exe 1824 Pipopl32.exe 2752 Pcfcmd32.exe 2752 Pcfcmd32.exe 2304 Pfdpip32.exe 2304 Pfdpip32.exe 1384 Pmnhfjmg.exe 1384 Pmnhfjmg.exe 1180 Plahag32.exe 1180 Plahag32.exe 2748 Peiljl32.exe 2748 Peiljl32.exe 1676 Ppoqge32.exe 1676 Ppoqge32.exe 2132 Pfiidobe.exe 2132 Pfiidobe.exe 1604 Plfamfpm.exe 1604 Plfamfpm.exe 560 Qlhnbf32.exe 560 Qlhnbf32.exe 1428 Qnfjna32.exe 1428 Qnfjna32.exe 1544 Qdccfh32.exe 1544 Qdccfh32.exe 1212 Qljkhe32.exe 1212 Qljkhe32.exe 1292 Qecoqk32.exe 1292 Qecoqk32.exe 748 Ahakmf32.exe 748 Ahakmf32.exe 1936 Ankdiqih.exe 1936 Ankdiqih.exe 1224 Aajpelhl.exe 1224 Aajpelhl.exe 336 Aplpai32.exe 336 Aplpai32.exe 2272 Aiedjneg.exe 2272 Aiedjneg.exe 2680 Aalmklfi.exe 2680 Aalmklfi.exe 2724 Adjigg32.exe 2724 Adjigg32.exe 2688 Aigaon32.exe 2688 Aigaon32.exe 2792 Apajlhka.exe 2792 Apajlhka.exe 2604 Admemg32.exe 2604 Admemg32.exe 2648 Aenbdoii.exe 2648 Aenbdoii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bohnbn32.dll Knmhgf32.exe File created C:\Windows\SysWOW64\Mbmjah32.exe Mponel32.exe File created C:\Windows\SysWOW64\Oomjlk32.exe Okanklik.exe File opened for modification C:\Windows\SysWOW64\Aalmklfi.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gmgdddmq.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File created C:\Windows\SysWOW64\Kfbcbd32.exe Kbfhbeek.exe File created C:\Windows\SysWOW64\Amcpie32.exe Aigchgkh.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bfkpqn32.exe File created C:\Windows\SysWOW64\Mgalqkbk.exe Mdcpdp32.exe File created C:\Windows\SysWOW64\Bnielm32.exe Blkioa32.exe File created C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File created C:\Windows\SysWOW64\Pmbdhi32.dll Bpleef32.exe File created C:\Windows\SysWOW64\Qbpbjelg.dll Gpejeihi.exe File created C:\Windows\SysWOW64\Lnhplkhl.dll Ipllekdl.exe File opened for modification C:\Windows\SysWOW64\Kegqdqbl.exe Kaldcb32.exe File created C:\Windows\SysWOW64\Bobhal32.exe Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe Icbimi32.exe File created C:\Windows\SysWOW64\Bbjbaa32.exe Bpleef32.exe File created C:\Windows\SysWOW64\Dljnnb32.dll Idcokkak.exe File opened for modification C:\Windows\SysWOW64\Ljmlbfhi.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Biafnecn.exe Bbgnak32.exe File opened for modification C:\Windows\SysWOW64\Gifhnpea.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Gpqpjj32.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Hbcicn32.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Ffkcbgek.exe Fejgko32.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Lahkigca.exe Lojomkdn.exe File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe Qcpofbjl.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe Ogmhkmki.exe File created C:\Windows\SysWOW64\Iggkllpe.exe Ihdkao32.exe File opened for modification C:\Windows\SysWOW64\Lflmci32.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Hejodhmc.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Lfpclh32.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Onecbg32.exe File created C:\Windows\SysWOW64\Aonghnnp.dll Namqci32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Aganeoip.exe Aecaidjl.exe File created C:\Windows\SysWOW64\Mdpjlajk.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Anccmo32.exe File created C:\Windows\SysWOW64\Fncdgcqm.exe Flehkhai.exe File created C:\Windows\SysWOW64\Ikeogmlj.dll Bhfagipa.exe File created C:\Windows\SysWOW64\Accikb32.dll Bdooajdc.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Lnjmhe32.dll Ijeghgoh.exe File created C:\Windows\SysWOW64\Abqjpn32.dll Jcgogk32.exe File opened for modification C:\Windows\SysWOW64\Ocfigjlp.exe Okoafmkm.exe File opened for modification C:\Windows\SysWOW64\Kfbcbd32.exe Kbfhbeek.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Fbgkoe32.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Chbjffad.exe File created C:\Windows\SysWOW64\Hgjefg32.exe Hdlhjl32.exe File opened for modification C:\Windows\SysWOW64\Igchlf32.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Lcfqkl32.exe Llohjo32.exe File created C:\Windows\SysWOW64\Oqcpob32.exe Oappcfmb.exe File created C:\Windows\SysWOW64\Jgafgmqa.dll Pmojocel.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cjndop32.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jgnamk32.exe File opened for modification C:\Windows\SysWOW64\Nkeelohh.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Hpefdl32.exe Habfipdj.exe File opened for modification C:\Windows\SysWOW64\Npccpo32.exe Nhllob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9004 8984 WerFault.exe 890 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" Hdhbam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjbmjplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggeiabkc.dll" Gpqpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" Ogkkfmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdhmlbj.dll" Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcebp32.dll" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfoo32.dll" Pkpagq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll" Kohkfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbkoipg.dll" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhimnma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghhofmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knjbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll" Aigchgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll" Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll" Glgaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbhke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleago32.dll" Iggkllpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll" Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmclhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2244 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2244 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2244 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 28 PID 3040 wrote to memory of 2244 3040 3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 1388 2244 Oqqapjnk.exe 29 PID 2244 wrote to memory of 1388 2244 Oqqapjnk.exe 29 PID 2244 wrote to memory of 1388 2244 Oqqapjnk.exe 29 PID 2244 wrote to memory of 1388 2244 Oqqapjnk.exe 29 PID 1388 wrote to memory of 2860 1388 Ojieip32.exe 30 PID 1388 wrote to memory of 2860 1388 Ojieip32.exe 30 PID 1388 wrote to memory of 2860 1388 Ojieip32.exe 30 PID 1388 wrote to memory of 2860 1388 Ojieip32.exe 30 PID 2860 wrote to memory of 1704 2860 Oenifh32.exe 31 PID 2860 wrote to memory of 1704 2860 Oenifh32.exe 31 PID 2860 wrote to memory of 1704 2860 Oenifh32.exe 31 PID 2860 wrote to memory of 1704 2860 Oenifh32.exe 31 PID 1704 wrote to memory of 2600 1704 Ongnonkb.exe 32 PID 1704 wrote to memory of 2600 1704 Ongnonkb.exe 32 PID 1704 wrote to memory of 2600 1704 Ongnonkb.exe 32 PID 1704 wrote to memory of 2600 1704 Ongnonkb.exe 32 PID 2600 wrote to memory of 2584 2600 Pphjgfqq.exe 33 PID 2600 wrote to memory of 2584 2600 Pphjgfqq.exe 33 PID 2600 wrote to memory of 2584 2600 Pphjgfqq.exe 33 PID 2600 wrote to memory of 2584 2600 Pphjgfqq.exe 33 PID 2584 wrote to memory of 1824 2584 Pgobhcac.exe 34 PID 2584 wrote to memory of 1824 2584 Pgobhcac.exe 34 PID 2584 wrote to memory of 1824 2584 Pgobhcac.exe 34 PID 2584 wrote to memory of 1824 2584 Pgobhcac.exe 34 PID 1824 wrote to memory of 2752 1824 Pipopl32.exe 35 PID 1824 wrote to memory of 2752 1824 Pipopl32.exe 35 PID 1824 wrote to memory of 2752 1824 Pipopl32.exe 35 PID 1824 wrote to memory of 2752 1824 Pipopl32.exe 35 PID 2752 wrote to memory of 2304 2752 Pcfcmd32.exe 36 PID 2752 wrote to memory of 2304 2752 Pcfcmd32.exe 36 PID 2752 wrote to memory of 2304 2752 Pcfcmd32.exe 36 PID 2752 wrote to memory of 2304 2752 Pcfcmd32.exe 36 PID 2304 wrote to memory of 1384 2304 Pfdpip32.exe 37 PID 2304 wrote to memory of 1384 2304 Pfdpip32.exe 37 PID 2304 wrote to memory of 1384 2304 Pfdpip32.exe 37 PID 2304 wrote to memory of 1384 2304 Pfdpip32.exe 37 PID 1384 wrote to memory of 1180 1384 Pmnhfjmg.exe 38 PID 1384 wrote to memory of 1180 1384 Pmnhfjmg.exe 38 PID 1384 wrote to memory of 1180 1384 Pmnhfjmg.exe 38 PID 1384 wrote to memory of 1180 1384 Pmnhfjmg.exe 38 PID 1180 wrote to memory of 2748 1180 Plahag32.exe 39 PID 1180 wrote to memory of 2748 1180 Plahag32.exe 39 PID 1180 wrote to memory of 2748 1180 Plahag32.exe 39 PID 1180 wrote to memory of 2748 1180 Plahag32.exe 39 PID 2748 wrote to memory of 1676 2748 Peiljl32.exe 40 PID 2748 wrote to memory of 1676 2748 Peiljl32.exe 40 PID 2748 wrote to memory of 1676 2748 Peiljl32.exe 40 PID 2748 wrote to memory of 1676 2748 Peiljl32.exe 40 PID 1676 wrote to memory of 2132 1676 Ppoqge32.exe 41 PID 1676 wrote to memory of 2132 1676 Ppoqge32.exe 41 PID 1676 wrote to memory of 2132 1676 Ppoqge32.exe 41 PID 1676 wrote to memory of 2132 1676 Ppoqge32.exe 41 PID 2132 wrote to memory of 1604 2132 Pfiidobe.exe 42 PID 2132 wrote to memory of 1604 2132 Pfiidobe.exe 42 PID 2132 wrote to memory of 1604 2132 Pfiidobe.exe 42 PID 2132 wrote to memory of 1604 2132 Pfiidobe.exe 42 PID 1604 wrote to memory of 560 1604 Plfamfpm.exe 43 PID 1604 wrote to memory of 560 1604 Plfamfpm.exe 43 PID 1604 wrote to memory of 560 1604 Plfamfpm.exe 43 PID 1604 wrote to memory of 560 1604 Plfamfpm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b333d87fb0ddda3161a424c088b08c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe33⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe34⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe35⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe36⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe37⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe38⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe39⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe40⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe45⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe46⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe47⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe49⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe50⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe53⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe55⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe58⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe60⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe61⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe63⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe64⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe65⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe66⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe67⤵PID:1876
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe68⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe69⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe70⤵PID:1968
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe71⤵PID:892
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe72⤵PID:2332
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe73⤵PID:2736
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe75⤵PID:2904
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe76⤵PID:2764
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe77⤵PID:1900
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe78⤵PID:2908
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe79⤵PID:944
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe81⤵PID:2552
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe82⤵PID:536
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe83⤵PID:1640
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe84⤵PID:2544
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe85⤵PID:1268
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe86⤵PID:1944
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe87⤵PID:2200
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe90⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe91⤵PID:2572
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe92⤵PID:2624
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe94⤵PID:1952
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe95⤵PID:1740
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe96⤵PID:2916
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe97⤵PID:2504
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe98⤵PID:1868
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe99⤵PID:1116
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe100⤵PID:580
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe101⤵PID:1156
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe102⤵PID:1960
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe103⤵PID:2292
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe104⤵PID:1752
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe105⤵PID:2696
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe106⤵PID:2932
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe107⤵PID:3068
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe108⤵PID:2956
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe110⤵PID:2856
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe111⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe112⤵PID:3012
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe113⤵PID:1636
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe114⤵PID:2128
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe115⤵PID:1364
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe116⤵PID:1348
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe117⤵PID:1592
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe118⤵PID:2820
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe119⤵PID:2168
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe120⤵PID:952
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe121⤵PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-