Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe
-
Size
89KB
-
MD5
b51bca585ea0000c0801ea7d7aec8ff0
-
SHA1
a1af069ad867a930e505e825def2f9d42865294f
-
SHA256
812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05
-
SHA512
d25d56c856fa32a94e0d6120e00b248d666bdc74d44d196a3d372f5b4a8a353b4affd1b3b0bca1b68b7d720759ad16a478eee3593e2b716211cee65bcddc4dbd
-
SSDEEP
1536:KqPLcXi0I/18iTqZu8dcEgYMVW6ci7pSJYzTkiycBlExkg8Fk:9PN0O8C4u0NJVC0JYzTIcBlakgwk
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpiojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joaeeklp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiakjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogfpbeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigimdjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cinfhigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqocbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflkaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmobhmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dldhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkommo32.exe -
Executes dropped EXE 64 IoCs
pid Process 2868 Njgldmdc.exe 2732 Nfmmin32.exe 2540 Nofabc32.exe 2980 Nhnfkigh.exe 1188 Odegpj32.exe 2652 Onmkio32.exe 1060 Ogfpbeim.exe 1148 Onphoo32.exe 1664 Oghlgdgk.exe 2164 Obnqem32.exe 1656 Okfencna.exe 2828 Omgaek32.exe 1240 Ofpfnqjp.exe 2836 Paejki32.exe 2388 Pipopl32.exe 1972 Ppjglfon.exe 308 Piblek32.exe 584 Plahag32.exe 780 Peiljl32.exe 2500 Pmqdkj32.exe 828 Pfiidobe.exe 1528 Ppamme32.exe 2436 Qhmbagfa.exe 1828 Qnfjna32.exe 2484 Qljkhe32.exe 2360 Qjmkcbcb.exe 2816 Qagcpljo.exe 2756 Adeplhib.exe 2692 Afdlhchf.exe 2556 Ankdiqih.exe 2544 Afiecb32.exe 2972 Apajlhka.exe 2160 Admemg32.exe 2244 Amejeljk.exe 2864 Apcfahio.exe 496 Aljgfioc.exe 1652 Bingpmnl.exe 2592 Bkodhe32.exe 1500 Bokphdld.exe 2032 Bommnc32.exe 2480 Balijo32.exe 1436 Bhfagipa.exe 280 Bhhnli32.exe 568 Bpcbqk32.exe 444 Bdooajdc.exe 672 Cjlgiqbk.exe 1532 Cljcelan.exe 1588 Cdakgibq.exe 2300 Cgpgce32.exe 2196 Cjndop32.exe 1576 Cjndop32.exe 2396 Cnippoha.exe 2648 Cphlljge.exe 2808 Coklgg32.exe 2704 Cgbdhd32.exe 2604 Cjpqdp32.exe 2984 Chcqpmep.exe 2256 Clomqk32.exe 1660 Comimg32.exe 1728 Cciemedf.exe 2600 Cjbmjplb.exe 936 Claifkkf.exe 2404 Copfbfjj.exe 2904 Cdlnkmha.exe -
Loads dropped DLL 64 IoCs
pid Process 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 2868 Njgldmdc.exe 2868 Njgldmdc.exe 2732 Nfmmin32.exe 2732 Nfmmin32.exe 2540 Nofabc32.exe 2540 Nofabc32.exe 2980 Nhnfkigh.exe 2980 Nhnfkigh.exe 1188 Odegpj32.exe 1188 Odegpj32.exe 2652 Onmkio32.exe 2652 Onmkio32.exe 1060 Ogfpbeim.exe 1060 Ogfpbeim.exe 1148 Onphoo32.exe 1148 Onphoo32.exe 1664 Oghlgdgk.exe 1664 Oghlgdgk.exe 2164 Obnqem32.exe 2164 Obnqem32.exe 1656 Okfencna.exe 1656 Okfencna.exe 2828 Omgaek32.exe 2828 Omgaek32.exe 1240 Ofpfnqjp.exe 1240 Ofpfnqjp.exe 2836 Paejki32.exe 2836 Paejki32.exe 2388 Pipopl32.exe 2388 Pipopl32.exe 1972 Ppjglfon.exe 1972 Ppjglfon.exe 308 Piblek32.exe 308 Piblek32.exe 584 Plahag32.exe 584 Plahag32.exe 780 Peiljl32.exe 780 Peiljl32.exe 2500 Pmqdkj32.exe 2500 Pmqdkj32.exe 828 Pfiidobe.exe 828 Pfiidobe.exe 1528 Ppamme32.exe 1528 Ppamme32.exe 2436 Qhmbagfa.exe 2436 Qhmbagfa.exe 1828 Qnfjna32.exe 1828 Qnfjna32.exe 2484 Qljkhe32.exe 2484 Qljkhe32.exe 2360 Qjmkcbcb.exe 2360 Qjmkcbcb.exe 2816 Qagcpljo.exe 2816 Qagcpljo.exe 2756 Adeplhib.exe 2756 Adeplhib.exe 2692 Afdlhchf.exe 2692 Afdlhchf.exe 2556 Ankdiqih.exe 2556 Ankdiqih.exe 2544 Afiecb32.exe 2544 Afiecb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Inkccpgk.exe Igakgfpn.exe File created C:\Windows\SysWOW64\Dcnilecc.dll Okdkal32.exe File created C:\Windows\SysWOW64\Fakemm32.dll Lqmjnk32.exe File created C:\Windows\SysWOW64\Ekcaonhe.exe Ddiibc32.exe File created C:\Windows\SysWOW64\Kjohojml.dll Process not Found File created C:\Windows\SysWOW64\Jgcomkpo.dll Process not Found File created C:\Windows\SysWOW64\Joliff32.dll Dfmdho32.exe File created C:\Windows\SysWOW64\Nldjnfaf.dll Iccbqh32.exe File opened for modification C:\Windows\SysWOW64\Copjdhib.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bjebdfnn.exe Process not Found File created C:\Windows\SysWOW64\Fgpimg32.dll Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Oegbheiq.exe Oalfhf32.exe File opened for modification C:\Windows\SysWOW64\Hfedqagp.exe Hdfhdfgl.exe File created C:\Windows\SysWOW64\Eojdkn32.dll Iknpkd32.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Process not Found File created C:\Windows\SysWOW64\Jjifqd32.dll Ahgnke32.exe File created C:\Windows\SysWOW64\Phmkjbfe.dll Nigome32.exe File created C:\Windows\SysWOW64\Pqnlhpfb.exe Pnopldgn.exe File opened for modification C:\Windows\SysWOW64\Eipgjaoi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fhljkm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ljigih32.exe Process not Found File created C:\Windows\SysWOW64\Elcmpi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe Process not Found File created C:\Windows\SysWOW64\Eplkpgnh.exe Emnndlod.exe File created C:\Windows\SysWOW64\Hbleeb32.exe Hajinjff.exe File created C:\Windows\SysWOW64\Fljelj32.dll Process not Found File created C:\Windows\SysWOW64\Gellaqbd.dll Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Kfebambf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogblbo32.exe Oddpfc32.exe File opened for modification C:\Windows\SysWOW64\Hihjhl32.exe Helngnie.exe File created C:\Windows\SysWOW64\Jmaebf32.dll Process not Found File created C:\Windows\SysWOW64\Ofpfnqjp.exe Omgaek32.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Jejhecaj.exe File created C:\Windows\SysWOW64\Mmofpf32.dll Process not Found File created C:\Windows\SysWOW64\Iahceq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjleclph.exe Process not Found File created C:\Windows\SysWOW64\Ehlmljkm.exe Process not Found File created C:\Windows\SysWOW64\Gcgqgd32.exe Process not Found File created C:\Windows\SysWOW64\Ffakjm32.dll Process not Found File created C:\Windows\SysWOW64\Mikhgqbi.exe Mcnpojca.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Process not Found File created C:\Windows\SysWOW64\Glbqje32.exe Gmoqnhla.exe File created C:\Windows\SysWOW64\Ggfcik32.dll Llnaoh32.exe File created C:\Windows\SysWOW64\Bmphhc32.exe Bffpki32.exe File created C:\Windows\SysWOW64\Figfejbj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Olmhdf32.exe Ojolhk32.exe File opened for modification C:\Windows\SysWOW64\Figlolbf.exe Fekpnn32.exe File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe Cmgechbh.exe File opened for modification C:\Windows\SysWOW64\Filgbdfd.exe Ffmkfifa.exe File created C:\Windows\SysWOW64\Mhcmedli.exe Process not Found File created C:\Windows\SysWOW64\Bnochnpm.exe Process not Found File created C:\Windows\SysWOW64\Dcghkf32.exe Process not Found File created C:\Windows\SysWOW64\Dgmglh32.exe Ddokpmfo.exe File created C:\Windows\SysWOW64\Llkbap32.exe Limfed32.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File opened for modification C:\Windows\SysWOW64\Hndlem32.exe Hjipenda.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Process not Found File created C:\Windows\SysWOW64\Bdmnkd32.dll Process not Found File created C:\Windows\SysWOW64\Pffgja32.dll Hpkjko32.exe File created C:\Windows\SysWOW64\Fdjidgfa.exe Fjeefofk.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Kmobhmnn.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Lihobnap.exe Lbogfcjc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1696 1064 Process not Found 1958 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mapjmehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dngabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdgpmfa.dll" Jcjnfdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoffcnl.dll" Papfegmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Heihnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmfkmah.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicoaj32.dll" Phpjnnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoppjjm.dll" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikepamg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klidkobf.dll" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogjpc32.dll" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcbbjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoaelb.dll" Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagojlib.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aamfnkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnegd32.dll" Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oohqqlei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellcac32.dll" Gpabcbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejmcm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Meijhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpqain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mclcijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" Gegfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lccdel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll" Dmafennb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjnfaf.dll" Iccbqh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2868 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2868 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2868 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2868 2356 812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe 28 PID 2868 wrote to memory of 2732 2868 Njgldmdc.exe 29 PID 2868 wrote to memory of 2732 2868 Njgldmdc.exe 29 PID 2868 wrote to memory of 2732 2868 Njgldmdc.exe 29 PID 2868 wrote to memory of 2732 2868 Njgldmdc.exe 29 PID 2732 wrote to memory of 2540 2732 Nfmmin32.exe 30 PID 2732 wrote to memory of 2540 2732 Nfmmin32.exe 30 PID 2732 wrote to memory of 2540 2732 Nfmmin32.exe 30 PID 2732 wrote to memory of 2540 2732 Nfmmin32.exe 30 PID 2540 wrote to memory of 2980 2540 Nofabc32.exe 31 PID 2540 wrote to memory of 2980 2540 Nofabc32.exe 31 PID 2540 wrote to memory of 2980 2540 Nofabc32.exe 31 PID 2540 wrote to memory of 2980 2540 Nofabc32.exe 31 PID 2980 wrote to memory of 1188 2980 Nhnfkigh.exe 32 PID 2980 wrote to memory of 1188 2980 Nhnfkigh.exe 32 PID 2980 wrote to memory of 1188 2980 Nhnfkigh.exe 32 PID 2980 wrote to memory of 1188 2980 Nhnfkigh.exe 32 PID 1188 wrote to memory of 2652 1188 Odegpj32.exe 33 PID 1188 wrote to memory of 2652 1188 Odegpj32.exe 33 PID 1188 wrote to memory of 2652 1188 Odegpj32.exe 33 PID 1188 wrote to memory of 2652 1188 Odegpj32.exe 33 PID 2652 wrote to memory of 1060 2652 Onmkio32.exe 34 PID 2652 wrote to memory of 1060 2652 Onmkio32.exe 34 PID 2652 wrote to memory of 1060 2652 Onmkio32.exe 34 PID 2652 wrote to memory of 1060 2652 Onmkio32.exe 34 PID 1060 wrote to memory of 1148 1060 Ogfpbeim.exe 35 PID 1060 wrote to memory of 1148 1060 Ogfpbeim.exe 35 PID 1060 wrote to memory of 1148 1060 Ogfpbeim.exe 35 PID 1060 wrote to memory of 1148 1060 Ogfpbeim.exe 35 PID 1148 wrote to memory of 1664 1148 Onphoo32.exe 36 PID 1148 wrote to memory of 1664 1148 Onphoo32.exe 36 PID 1148 wrote to memory of 1664 1148 Onphoo32.exe 36 PID 1148 wrote to memory of 1664 1148 Onphoo32.exe 36 PID 1664 wrote to memory of 2164 1664 Oghlgdgk.exe 37 PID 1664 wrote to memory of 2164 1664 Oghlgdgk.exe 37 PID 1664 wrote to memory of 2164 1664 Oghlgdgk.exe 37 PID 1664 wrote to memory of 2164 1664 Oghlgdgk.exe 37 PID 2164 wrote to memory of 1656 2164 Obnqem32.exe 38 PID 2164 wrote to memory of 1656 2164 Obnqem32.exe 38 PID 2164 wrote to memory of 1656 2164 Obnqem32.exe 38 PID 2164 wrote to memory of 1656 2164 Obnqem32.exe 38 PID 1656 wrote to memory of 2828 1656 Okfencna.exe 39 PID 1656 wrote to memory of 2828 1656 Okfencna.exe 39 PID 1656 wrote to memory of 2828 1656 Okfencna.exe 39 PID 1656 wrote to memory of 2828 1656 Okfencna.exe 39 PID 2828 wrote to memory of 1240 2828 Omgaek32.exe 40 PID 2828 wrote to memory of 1240 2828 Omgaek32.exe 40 PID 2828 wrote to memory of 1240 2828 Omgaek32.exe 40 PID 2828 wrote to memory of 1240 2828 Omgaek32.exe 40 PID 1240 wrote to memory of 2836 1240 Ofpfnqjp.exe 41 PID 1240 wrote to memory of 2836 1240 Ofpfnqjp.exe 41 PID 1240 wrote to memory of 2836 1240 Ofpfnqjp.exe 41 PID 1240 wrote to memory of 2836 1240 Ofpfnqjp.exe 41 PID 2836 wrote to memory of 2388 2836 Paejki32.exe 42 PID 2836 wrote to memory of 2388 2836 Paejki32.exe 42 PID 2836 wrote to memory of 2388 2836 Paejki32.exe 42 PID 2836 wrote to memory of 2388 2836 Paejki32.exe 42 PID 2388 wrote to memory of 1972 2388 Pipopl32.exe 43 PID 2388 wrote to memory of 1972 2388 Pipopl32.exe 43 PID 2388 wrote to memory of 1972 2388 Pipopl32.exe 43 PID 2388 wrote to memory of 1972 2388 Pipopl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\812ebf8b6277d5b1aba6ec88a520ef97dc44545d065590547d1f33e833ef1c05_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe33⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe34⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe35⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe37⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe38⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe39⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe40⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe41⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe42⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe43⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe44⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe45⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe46⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe47⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe48⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe50⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe51⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe52⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe53⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe54⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe56⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe58⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe60⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe61⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe62⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe63⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe64⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe65⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe66⤵PID:2900
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe67⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe68⤵PID:1852
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe69⤵PID:1364
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe70⤵PID:1860
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe71⤵PID:872
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe72⤵PID:1548
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe73⤵PID:1580
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe74⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe76⤵PID:1960
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe77⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe78⤵PID:1724
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe79⤵PID:812
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe80⤵PID:2960
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe81⤵PID:2892
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe82⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe83⤵PID:1608
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe84⤵PID:2156
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe86⤵PID:1428
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe87⤵PID:3040
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe88⤵PID:2736
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe89⤵PID:2804
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe90⤵PID:2896
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe91⤵PID:2552
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe92⤵PID:1412
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe93⤵PID:2040
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe94⤵PID:1928
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe95⤵PID:1440
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe96⤵PID:1404
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe97⤵PID:1540
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe98⤵PID:1788
-
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe99⤵PID:2072
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe101⤵PID:1208
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe102⤵PID:876
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe103⤵PID:2764
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe104⤵PID:2568
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe105⤵PID:2656
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe106⤵PID:2076
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe107⤵PID:2120
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe108⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe109⤵PID:1504
-
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe110⤵PID:1320
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe111⤵PID:572
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe112⤵PID:2292
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe113⤵PID:1820
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe114⤵PID:3020
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe116⤵PID:2820
-
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe117⤵PID:2964
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe118⤵PID:832
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe119⤵PID:1492
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe120⤵PID:2508
-
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-