Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/06/2024, 12:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe
-
Size
208KB
-
MD5
e3a5b88ede42394026a9d62776cf8ee0
-
SHA1
8579247225b16098374b94dcafd42ed6f7ff6384
-
SHA256
ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba
-
SHA512
154a896dcc111da05d6aec96c33a5b9422f67938f79329b5d0f82ab6448b0bf1c0fd25c6306067a1e391950cfa6617ca5be90e586e043a4ba096947c8f575e54
-
SSDEEP
3072:vMZV3GM1eOL9qr8vi6wzHKHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5y:vMb1eOL9qr8aPKulrtMsQB+vn87L5Az
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbfdmeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpnhgge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdejaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cciemedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladeqhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkdonic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnojlpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qecoqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllpkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojknblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epieghdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdlblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe -
Executes dropped EXE 64 IoCs
pid Process 2872 Kmimafop.exe 2552 Kfaajlfp.exe 2716 Klnjbbdh.exe 2392 Komfnnck.exe 2364 Koocdnai.exe 2800 Kbkodl32.exe 1484 Lkfciogm.exe 2584 Laplei32.exe 2252 Lfmdnp32.exe 1796 Lodlom32.exe 292 Lpeifeca.exe 1560 Lkkmdn32.exe 864 Ladeqhjd.exe 2028 Lbfahp32.exe 2020 Lipjejgp.exe 2312 Lchnnp32.exe 1404 Libgjj32.exe 1808 Loooca32.exe 2240 Mcjkcplm.exe 2916 Mhgclfje.exe 1664 Mpolmdkg.exe 1512 Mcmhiojk.exe 1836 Migpeiag.exe 756 Mhjpaf32.exe 2192 Mcodno32.exe 3032 Menakj32.exe 2984 Mlgigdoh.exe 2564 Mofecpnl.exe 2480 Mhnjle32.exe 2528 Mnkbdlbd.exe 2416 Mdejaf32.exe 2440 Mkobnqan.exe 1380 Nnnojlpa.exe 2668 Ndgggf32.exe 1784 Nkaocp32.exe 2248 Npnhlg32.exe 1684 Ndjdlffl.exe 1516 Njgldmdc.exe 1344 Nqqdag32.exe 1252 Njiijlbp.exe 2744 Nqcagfim.exe 540 Ncancbha.exe 1412 Njkfpl32.exe 1564 Nohnhc32.exe 2912 Ofbfdmeb.exe 2996 Omloag32.exe 1928 Oojknblb.exe 1256 Ofdcjm32.exe 612 Ogfpbeim.exe 1956 Okalbc32.exe 2504 Obkdonic.exe 2728 Oqndkj32.exe 2616 Oghlgdgk.exe 2500 Onbddoog.exe 2640 Onbddoog.exe 2988 Oqqapjnk.exe 356 Okfencna.exe 2548 Omgaek32.exe 2080 Ocajbekl.exe 1016 Ofpfnqjp.exe 1456 Ongnonkb.exe 1324 Pphjgfqq.exe 1144 Pgobhcac.exe 1888 Pjmodopf.exe -
Loads dropped DLL 64 IoCs
pid Process 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 2872 Kmimafop.exe 2872 Kmimafop.exe 2552 Kfaajlfp.exe 2552 Kfaajlfp.exe 2716 Klnjbbdh.exe 2716 Klnjbbdh.exe 2392 Komfnnck.exe 2392 Komfnnck.exe 2364 Koocdnai.exe 2364 Koocdnai.exe 2800 Kbkodl32.exe 2800 Kbkodl32.exe 1484 Lkfciogm.exe 1484 Lkfciogm.exe 2584 Laplei32.exe 2584 Laplei32.exe 2252 Lfmdnp32.exe 2252 Lfmdnp32.exe 1796 Lodlom32.exe 1796 Lodlom32.exe 292 Lpeifeca.exe 292 Lpeifeca.exe 1560 Lkkmdn32.exe 1560 Lkkmdn32.exe 864 Ladeqhjd.exe 864 Ladeqhjd.exe 2028 Lbfahp32.exe 2028 Lbfahp32.exe 2020 Lipjejgp.exe 2020 Lipjejgp.exe 2312 Lchnnp32.exe 2312 Lchnnp32.exe 1404 Libgjj32.exe 1404 Libgjj32.exe 1808 Loooca32.exe 1808 Loooca32.exe 2240 Mcjkcplm.exe 2240 Mcjkcplm.exe 2916 Mhgclfje.exe 2916 Mhgclfje.exe 1664 Mpolmdkg.exe 1664 Mpolmdkg.exe 1512 Mcmhiojk.exe 1512 Mcmhiojk.exe 1836 Migpeiag.exe 1836 Migpeiag.exe 756 Mhjpaf32.exe 756 Mhjpaf32.exe 2192 Mcodno32.exe 2192 Mcodno32.exe 3032 Menakj32.exe 3032 Menakj32.exe 2984 Mlgigdoh.exe 2984 Mlgigdoh.exe 2564 Mofecpnl.exe 2564 Mofecpnl.exe 2480 Mhnjle32.exe 2480 Mhnjle32.exe 2528 Mnkbdlbd.exe 2528 Mnkbdlbd.exe 2416 Mdejaf32.exe 2416 Mdejaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Balijo32.exe Bkaqmeah.exe File opened for modification C:\Windows\SysWOW64\Lipjejgp.exe Lbfahp32.exe File created C:\Windows\SysWOW64\Dbnkge32.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Oiahfd32.dll Ahokfj32.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Ffnphf32.exe File created C:\Windows\SysWOW64\Hknach32.exe Ghoegl32.exe File created C:\Windows\SysWOW64\Mmlblm32.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Njmekj32.dll Hmlnoc32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File created C:\Windows\SysWOW64\Alhjai32.exe Aiinen32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Pbpjiphi.exe Ppamme32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Ejbfhfaj.exe File opened for modification C:\Windows\SysWOW64\Fdoclk32.exe Fpdhklkl.exe File opened for modification C:\Windows\SysWOW64\Abmibdlh.exe Apomfh32.exe File created C:\Windows\SysWOW64\Aigaon32.exe Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Aljgfioc.exe Ahokfj32.exe File created C:\Windows\SysWOW64\Ahokfj32.exe Aepojo32.exe File opened for modification C:\Windows\SysWOW64\Oojknblb.exe Omloag32.exe File created C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cciemedf.exe File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe Gelppaof.exe File created C:\Windows\SysWOW64\Eiikjj32.dll ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Koocdnai.exe Komfnnck.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Apajlhka.exe File created C:\Windows\SysWOW64\Ejbfhfaj.exe Egdilkbf.exe File created C:\Windows\SysWOW64\Pffgja32.dll Hgdbhi32.exe File created C:\Windows\SysWOW64\Qecoqk32.exe Qmlgonbe.exe File created C:\Windows\SysWOW64\Epfhbign.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Ghfbqn32.exe Gicbeald.exe File created C:\Windows\SysWOW64\Lndipl32.dll Laplei32.exe File created C:\Windows\SysWOW64\Bkaqmeah.exe Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Dnneja32.exe Dfgmhd32.exe File created C:\Windows\SysWOW64\Gkkemh32.exe Ghmiam32.exe File created C:\Windows\SysWOW64\Gbifnpmn.dll Lkfciogm.exe File created C:\Windows\SysWOW64\Damgbk32.dll Njgldmdc.exe File opened for modification C:\Windows\SysWOW64\Ofdcjm32.exe Oojknblb.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Pbpjiphi.exe File created C:\Windows\SysWOW64\Amndem32.exe Ankdiqih.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fdapak32.exe File created C:\Windows\SysWOW64\Begeknan.exe Balijo32.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Bdooajdc.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Emeopn32.exe File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hejoiedd.exe File created C:\Windows\SysWOW64\Hppiecpn.dll Cckace32.exe File created C:\Windows\SysWOW64\Jbelkc32.dll Fmjejphb.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File created C:\Windows\SysWOW64\Pphjgfqq.exe Ongnonkb.exe File created C:\Windows\SysWOW64\Bgknheej.exe Bdlblj32.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Gbolehjh.dll Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Bnhgoq32.dll Nohnhc32.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Ckffgg32.exe File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Menakj32.exe Mcodno32.exe File created C:\Windows\SysWOW64\Njkfpl32.exe Ncancbha.exe File created C:\Windows\SysWOW64\Dfgmhd32.exe Ddeaalpg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3924 3908 WerFault.exe 284 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdlhchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpeifeca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Migpeiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epieghdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbifnpmn.dll" Lkfciogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difoda32.dll" Npnhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Egdilkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faokjpfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadhjcfk.dll" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpafgnp.dll" Mhjpaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okalbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcagfim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" Goddhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfciogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Pijbfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peegic32.dll" Mdejaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgobhcac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Komfnnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njgldmdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Apajlhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnpnndgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfmdnp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2872 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2872 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2872 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 28 PID 1904 wrote to memory of 2872 1904 ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 2552 2872 Kmimafop.exe 29 PID 2872 wrote to memory of 2552 2872 Kmimafop.exe 29 PID 2872 wrote to memory of 2552 2872 Kmimafop.exe 29 PID 2872 wrote to memory of 2552 2872 Kmimafop.exe 29 PID 2552 wrote to memory of 2716 2552 Kfaajlfp.exe 30 PID 2552 wrote to memory of 2716 2552 Kfaajlfp.exe 30 PID 2552 wrote to memory of 2716 2552 Kfaajlfp.exe 30 PID 2552 wrote to memory of 2716 2552 Kfaajlfp.exe 30 PID 2716 wrote to memory of 2392 2716 Klnjbbdh.exe 31 PID 2716 wrote to memory of 2392 2716 Klnjbbdh.exe 31 PID 2716 wrote to memory of 2392 2716 Klnjbbdh.exe 31 PID 2716 wrote to memory of 2392 2716 Klnjbbdh.exe 31 PID 2392 wrote to memory of 2364 2392 Komfnnck.exe 32 PID 2392 wrote to memory of 2364 2392 Komfnnck.exe 32 PID 2392 wrote to memory of 2364 2392 Komfnnck.exe 32 PID 2392 wrote to memory of 2364 2392 Komfnnck.exe 32 PID 2364 wrote to memory of 2800 2364 Koocdnai.exe 33 PID 2364 wrote to memory of 2800 2364 Koocdnai.exe 33 PID 2364 wrote to memory of 2800 2364 Koocdnai.exe 33 PID 2364 wrote to memory of 2800 2364 Koocdnai.exe 33 PID 2800 wrote to memory of 1484 2800 Kbkodl32.exe 34 PID 2800 wrote to memory of 1484 2800 Kbkodl32.exe 34 PID 2800 wrote to memory of 1484 2800 Kbkodl32.exe 34 PID 2800 wrote to memory of 1484 2800 Kbkodl32.exe 34 PID 1484 wrote to memory of 2584 1484 Lkfciogm.exe 35 PID 1484 wrote to memory of 2584 1484 Lkfciogm.exe 35 PID 1484 wrote to memory of 2584 1484 Lkfciogm.exe 35 PID 1484 wrote to memory of 2584 1484 Lkfciogm.exe 35 PID 2584 wrote to memory of 2252 2584 Laplei32.exe 36 PID 2584 wrote to memory of 2252 2584 Laplei32.exe 36 PID 2584 wrote to memory of 2252 2584 Laplei32.exe 36 PID 2584 wrote to memory of 2252 2584 Laplei32.exe 36 PID 2252 wrote to memory of 1796 2252 Lfmdnp32.exe 37 PID 2252 wrote to memory of 1796 2252 Lfmdnp32.exe 37 PID 2252 wrote to memory of 1796 2252 Lfmdnp32.exe 37 PID 2252 wrote to memory of 1796 2252 Lfmdnp32.exe 37 PID 1796 wrote to memory of 292 1796 Lodlom32.exe 38 PID 1796 wrote to memory of 292 1796 Lodlom32.exe 38 PID 1796 wrote to memory of 292 1796 Lodlom32.exe 38 PID 1796 wrote to memory of 292 1796 Lodlom32.exe 38 PID 292 wrote to memory of 1560 292 Lpeifeca.exe 39 PID 292 wrote to memory of 1560 292 Lpeifeca.exe 39 PID 292 wrote to memory of 1560 292 Lpeifeca.exe 39 PID 292 wrote to memory of 1560 292 Lpeifeca.exe 39 PID 1560 wrote to memory of 864 1560 Lkkmdn32.exe 40 PID 1560 wrote to memory of 864 1560 Lkkmdn32.exe 40 PID 1560 wrote to memory of 864 1560 Lkkmdn32.exe 40 PID 1560 wrote to memory of 864 1560 Lkkmdn32.exe 40 PID 864 wrote to memory of 2028 864 Ladeqhjd.exe 41 PID 864 wrote to memory of 2028 864 Ladeqhjd.exe 41 PID 864 wrote to memory of 2028 864 Ladeqhjd.exe 41 PID 864 wrote to memory of 2028 864 Ladeqhjd.exe 41 PID 2028 wrote to memory of 2020 2028 Lbfahp32.exe 42 PID 2028 wrote to memory of 2020 2028 Lbfahp32.exe 42 PID 2028 wrote to memory of 2020 2028 Lbfahp32.exe 42 PID 2028 wrote to memory of 2020 2028 Lbfahp32.exe 42 PID 2020 wrote to memory of 2312 2020 Lipjejgp.exe 43 PID 2020 wrote to memory of 2312 2020 Lipjejgp.exe 43 PID 2020 wrote to memory of 2312 2020 Lipjejgp.exe 43 PID 2020 wrote to memory of 2312 2020 Lipjejgp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ab30d03e9234d5a843ba23c91ad0bc1545f1fe6e5e281e25327954f8ef589fba_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe33⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe35⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe36⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe38⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe40⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:540 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe44⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe49⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe50⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe55⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe57⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe58⤵
- Executes dropped EXE
PID:356 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe63⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe65⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe66⤵PID:336
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe69⤵PID:1216
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe70⤵PID:920
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe71⤵PID:1048
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe73⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe76⤵PID:2692
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe77⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe79⤵
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe80⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe81⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe84⤵PID:1656
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe85⤵PID:1632
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe86⤵PID:1532
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe87⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe89⤵
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe92⤵PID:1812
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe93⤵PID:2296
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe94⤵PID:3052
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe96⤵PID:2792
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe97⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe98⤵PID:1708
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe100⤵PID:2896
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe102⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe103⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:628 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe105⤵PID:2256
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe106⤵PID:2116
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe107⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe108⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe109⤵PID:876
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe110⤵
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe111⤵PID:2904
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe112⤵PID:1296
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe113⤵PID:892
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe115⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe116⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe118⤵PID:1136
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe119⤵PID:2180
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe120⤵PID:1056
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-