Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 04:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4837f62f773751f282f069802550f370_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4837f62f773751f282f069802550f370_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4837f62f773751f282f069802550f370_NeikiAnalytics.exe
-
Size
207KB
-
MD5
4837f62f773751f282f069802550f370
-
SHA1
e0b5a7d897f9777f07a4f707f015e04eb1570590
-
SHA256
8b1223c4eabde17c21e23c8db5435da8838087f610023114fa2e003e743ea9bc
-
SHA512
6756125f7a3778ad6d055574844b940aff7d29a7c39fa985cacb1019ce5c47fe074fd17e041c20e5ff7857cf5263a0a22be51fe9322587b0f37a3466a6996d76
-
SSDEEP
3072:zWIVSAMAa5+Kk0lhVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:zFdMX5+4hVjj+VPj92d62ASOwj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfqahgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkmpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keanebkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombapedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfpbeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcccl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdmmgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbdqmghm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cojema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njlockkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djpmccqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdeo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2980 Mlgigdoh.exe 2632 Mhnjle32.exe 2636 Mpjoqhah.exe 2768 Mkobnqan.exe 2656 Ncjgbcoi.exe 2556 Nnplpl32.exe 2932 Nfkpdn32.exe 2480 Nqqdag32.exe 1528 Nqcagfim.exe 756 Oojknblb.exe 1440 Ogfpbeim.exe 2044 Onphoo32.exe 1700 Obnqem32.exe 2796 Oelmai32.exe 768 Okfencna.exe 1392 Pminkk32.exe 1152 Pgobhcac.exe 860 Pjmodopf.exe 2452 Ppjglfon.exe 564 Pbiciana.exe 924 Pjpkjond.exe 896 Pbkpna32.exe 2852 Peiljl32.exe 1960 Ppoqge32.exe 2876 Ppamme32.exe 2132 Pbpjiphi.exe 1908 Qbbfopeg.exe 2348 Qaefjm32.exe 2696 Qjmkcbcb.exe 2644 Qnigda32.exe 2520 Afdlhchf.exe 2628 Ajphib32.exe 2612 Aplpai32.exe 2384 Ampqjm32.exe 1504 Adjigg32.exe 2820 Abmibdlh.exe 752 Ambmpmln.exe 608 Admemg32.exe 1664 Afkbib32.exe 2340 Aoffmd32.exe 2212 Abbbnchb.exe 2004 Bagpopmj.exe 2220 Bebkpn32.exe 892 Bkodhe32.exe 600 Bbflib32.exe 1744 Bdhhqk32.exe 1856 Bhcdaibd.exe 1256 Bommnc32.exe 760 Bnpmipql.exe 544 Bdjefj32.exe 2408 Bhfagipa.exe 1796 Bopicc32.exe 884 Bnbjopoi.exe 1512 Bdlblj32.exe 2160 Bhhnli32.exe 3060 Bnefdp32.exe 2848 Bpcbqk32.exe 2840 Cgmkmecg.exe 2412 Cjlgiqbk.exe 2968 Cpeofk32.exe 2468 Ccdlbf32.exe 1864 Cnippoha.exe 268 Cphlljge.exe 1844 Cgbdhd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 2980 Mlgigdoh.exe 2980 Mlgigdoh.exe 2632 Mhnjle32.exe 2632 Mhnjle32.exe 2636 Mpjoqhah.exe 2636 Mpjoqhah.exe 2768 Mkobnqan.exe 2768 Mkobnqan.exe 2656 Ncjgbcoi.exe 2656 Ncjgbcoi.exe 2556 Nnplpl32.exe 2556 Nnplpl32.exe 2932 Nfkpdn32.exe 2932 Nfkpdn32.exe 2480 Nqqdag32.exe 2480 Nqqdag32.exe 1528 Nqcagfim.exe 1528 Nqcagfim.exe 756 Oojknblb.exe 756 Oojknblb.exe 1440 Ogfpbeim.exe 1440 Ogfpbeim.exe 2044 Onphoo32.exe 2044 Onphoo32.exe 1700 Obnqem32.exe 1700 Obnqem32.exe 2796 Oelmai32.exe 2796 Oelmai32.exe 768 Okfencna.exe 768 Okfencna.exe 1392 Pminkk32.exe 1392 Pminkk32.exe 1152 Pgobhcac.exe 1152 Pgobhcac.exe 860 Pjmodopf.exe 860 Pjmodopf.exe 2452 Ppjglfon.exe 2452 Ppjglfon.exe 564 Pbiciana.exe 564 Pbiciana.exe 924 Pjpkjond.exe 924 Pjpkjond.exe 896 Pbkpna32.exe 896 Pbkpna32.exe 2852 Peiljl32.exe 2852 Peiljl32.exe 1960 Ppoqge32.exe 1960 Ppoqge32.exe 2876 Ppamme32.exe 2876 Ppamme32.exe 2132 Pbpjiphi.exe 2132 Pbpjiphi.exe 1908 Qbbfopeg.exe 1908 Qbbfopeg.exe 2348 Qaefjm32.exe 2348 Qaefjm32.exe 2696 Qjmkcbcb.exe 2696 Qjmkcbcb.exe 2644 Qnigda32.exe 2644 Qnigda32.exe 2520 Afdlhchf.exe 2520 Afdlhchf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qmhccl32.dll Behnnm32.exe File created C:\Windows\SysWOW64\Ngogde32.dll Nhdlkdkg.exe File opened for modification C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe Eilpeooq.exe File created C:\Windows\SysWOW64\Gfoihbdp.dll Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File created C:\Windows\SysWOW64\Qjdijm32.dll Jfekcg32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kmjfdejp.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Fpkeqmgm.dll Pdaoog32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Jkkilgnq.dll Mhnjle32.exe File created C:\Windows\SysWOW64\Jkpgfn32.exe Jiakjb32.exe File created C:\Windows\SysWOW64\Goedqe32.dll Leajdfnm.exe File opened for modification C:\Windows\SysWOW64\Oqideepg.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Inlepd32.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Mqeihfll.dll Nqqdag32.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File opened for modification C:\Windows\SysWOW64\Mlibjc32.exe Mijfnh32.exe File opened for modification C:\Windows\SysWOW64\Ombapedi.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Djklnnaj.exe Dcadac32.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Jifnmmhq.dll Alpmfdcb.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Coelaaoi.exe Blgpef32.exe File opened for modification C:\Windows\SysWOW64\Ebodiofk.exe Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Fjilieka.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Cabknqko.dll Hpmgqnfl.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kjljhjkl.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Ombapedi.exe Ojcecjee.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pedleg32.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pnlqnl32.exe File created C:\Windows\SysWOW64\Alegac32.exe Aekodi32.exe File created C:\Windows\SysWOW64\Jadhjcfk.dll Ppoqge32.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Gonnhhln.exe Gpknlk32.exe File created C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Jbnhng32.exe Jnclnihj.exe File created C:\Windows\SysWOW64\Meagci32.exe Mgnfhlin.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pmdjdh32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dcenlceh.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Fnnajckm.dll Okfencna.exe File created C:\Windows\SysWOW64\Ambcae32.dll Eloemi32.exe File created C:\Windows\SysWOW64\Iaeldika.dll Fjgoce32.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kgnnln32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mijfnh32.exe File created C:\Windows\SysWOW64\Ndbcpd32.exe Nnhkcj32.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Ddokpmfo.exe File created C:\Windows\SysWOW64\Ooghhh32.dll Gdopkn32.exe File opened for modification C:\Windows\SysWOW64\Mlkopcge.exe Mmhodf32.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Keefji32.dll Bmpfojmp.exe File created C:\Windows\SysWOW64\Dnoillim.dll Efncicpm.exe File created C:\Windows\SysWOW64\Maphhihi.dll Eilpeooq.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Faokjpfd.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hpkjko32.exe File opened for modification C:\Windows\SysWOW64\Kfgdhjmk.exe Kcihlong.exe File created C:\Windows\SysWOW64\Necfoajd.dll Oopnlacm.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qfahhm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4752 5032 WerFault.exe 476 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgoboqcm.dll" Oklkmnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll" Bmpfojmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhphncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdjefj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlphhec.dll" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oonafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndpaod32.dll" Jmhmpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pedleg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhmenjp.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qimhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidec32.dll" Cojema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mgnfhlin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjlgiqbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfcnngnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolcnd32.dll" Idhopq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igihbknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcinmgng.dll" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 4837f62f773751f282f069802550f370_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobnme32.dll" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekkdc32.dll" Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmkcoqd.dll" Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iakdqgfi.dll" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdgnh32.dll" Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medfkpfc.dll" Pgobhcac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2980 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 28 PID 1868 wrote to memory of 2980 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 28 PID 1868 wrote to memory of 2980 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 28 PID 1868 wrote to memory of 2980 1868 4837f62f773751f282f069802550f370_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2632 2980 Mlgigdoh.exe 29 PID 2980 wrote to memory of 2632 2980 Mlgigdoh.exe 29 PID 2980 wrote to memory of 2632 2980 Mlgigdoh.exe 29 PID 2980 wrote to memory of 2632 2980 Mlgigdoh.exe 29 PID 2632 wrote to memory of 2636 2632 Mhnjle32.exe 30 PID 2632 wrote to memory of 2636 2632 Mhnjle32.exe 30 PID 2632 wrote to memory of 2636 2632 Mhnjle32.exe 30 PID 2632 wrote to memory of 2636 2632 Mhnjle32.exe 30 PID 2636 wrote to memory of 2768 2636 Mpjoqhah.exe 31 PID 2636 wrote to memory of 2768 2636 Mpjoqhah.exe 31 PID 2636 wrote to memory of 2768 2636 Mpjoqhah.exe 31 PID 2636 wrote to memory of 2768 2636 Mpjoqhah.exe 31 PID 2768 wrote to memory of 2656 2768 Mkobnqan.exe 32 PID 2768 wrote to memory of 2656 2768 Mkobnqan.exe 32 PID 2768 wrote to memory of 2656 2768 Mkobnqan.exe 32 PID 2768 wrote to memory of 2656 2768 Mkobnqan.exe 32 PID 2656 wrote to memory of 2556 2656 Ncjgbcoi.exe 33 PID 2656 wrote to memory of 2556 2656 Ncjgbcoi.exe 33 PID 2656 wrote to memory of 2556 2656 Ncjgbcoi.exe 33 PID 2656 wrote to memory of 2556 2656 Ncjgbcoi.exe 33 PID 2556 wrote to memory of 2932 2556 Nnplpl32.exe 34 PID 2556 wrote to memory of 2932 2556 Nnplpl32.exe 34 PID 2556 wrote to memory of 2932 2556 Nnplpl32.exe 34 PID 2556 wrote to memory of 2932 2556 Nnplpl32.exe 34 PID 2932 wrote to memory of 2480 2932 Nfkpdn32.exe 35 PID 2932 wrote to memory of 2480 2932 Nfkpdn32.exe 35 PID 2932 wrote to memory of 2480 2932 Nfkpdn32.exe 35 PID 2932 wrote to memory of 2480 2932 Nfkpdn32.exe 35 PID 2480 wrote to memory of 1528 2480 Nqqdag32.exe 36 PID 2480 wrote to memory of 1528 2480 Nqqdag32.exe 36 PID 2480 wrote to memory of 1528 2480 Nqqdag32.exe 36 PID 2480 wrote to memory of 1528 2480 Nqqdag32.exe 36 PID 1528 wrote to memory of 756 1528 Nqcagfim.exe 37 PID 1528 wrote to memory of 756 1528 Nqcagfim.exe 37 PID 1528 wrote to memory of 756 1528 Nqcagfim.exe 37 PID 1528 wrote to memory of 756 1528 Nqcagfim.exe 37 PID 756 wrote to memory of 1440 756 Oojknblb.exe 38 PID 756 wrote to memory of 1440 756 Oojknblb.exe 38 PID 756 wrote to memory of 1440 756 Oojknblb.exe 38 PID 756 wrote to memory of 1440 756 Oojknblb.exe 38 PID 1440 wrote to memory of 2044 1440 Ogfpbeim.exe 39 PID 1440 wrote to memory of 2044 1440 Ogfpbeim.exe 39 PID 1440 wrote to memory of 2044 1440 Ogfpbeim.exe 39 PID 1440 wrote to memory of 2044 1440 Ogfpbeim.exe 39 PID 2044 wrote to memory of 1700 2044 Onphoo32.exe 40 PID 2044 wrote to memory of 1700 2044 Onphoo32.exe 40 PID 2044 wrote to memory of 1700 2044 Onphoo32.exe 40 PID 2044 wrote to memory of 1700 2044 Onphoo32.exe 40 PID 1700 wrote to memory of 2796 1700 Obnqem32.exe 41 PID 1700 wrote to memory of 2796 1700 Obnqem32.exe 41 PID 1700 wrote to memory of 2796 1700 Obnqem32.exe 41 PID 1700 wrote to memory of 2796 1700 Obnqem32.exe 41 PID 2796 wrote to memory of 768 2796 Oelmai32.exe 42 PID 2796 wrote to memory of 768 2796 Oelmai32.exe 42 PID 2796 wrote to memory of 768 2796 Oelmai32.exe 42 PID 2796 wrote to memory of 768 2796 Oelmai32.exe 42 PID 768 wrote to memory of 1392 768 Okfencna.exe 43 PID 768 wrote to memory of 1392 768 Okfencna.exe 43 PID 768 wrote to memory of 1392 768 Okfencna.exe 43 PID 768 wrote to memory of 1392 768 Okfencna.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4837f62f773751f282f069802550f370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4837f62f773751f282f069802550f370_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe35⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe36⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe37⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe38⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe39⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe40⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe43⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe44⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe45⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe46⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe47⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe48⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe49⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe50⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe52⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe53⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe54⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe55⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe56⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe61⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe62⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe63⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe64⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe65⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe66⤵PID:620
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe68⤵PID:1028
-
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe69⤵PID:1296
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe70⤵PID:1176
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe71⤵PID:3064
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe72⤵PID:792
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe73⤵PID:2180
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe74⤵PID:1556
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe75⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe77⤵PID:2748
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe78⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe79⤵PID:2536
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe80⤵PID:2544
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe81⤵PID:2824
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe82⤵PID:1476
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe84⤵PID:1916
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe85⤵PID:1780
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe87⤵PID:3044
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe88⤵PID:1900
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe89⤵PID:2128
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe90⤵PID:296
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe91⤵PID:1420
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe92⤵PID:1520
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe93⤵PID:2304
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe94⤵PID:2732
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe96⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe97⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe98⤵PID:1352
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe99⤵PID:1348
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe100⤵PID:988
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe101⤵PID:1364
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe102⤵PID:2252
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe103⤵PID:1724
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe104⤵PID:536
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe106⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe108⤵PID:1576
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe109⤵
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe110⤵PID:2576
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe111⤵PID:2352
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe112⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe113⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe114⤵PID:2640
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe115⤵PID:1500
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe116⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe117⤵PID:3024
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe119⤵PID:2676
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe120⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe121⤵PID:1872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-