Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 11:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe
-
Size
320KB
-
MD5
288280ad8653ffd6c6c66d899e409bb0
-
SHA1
1f6ccd4561816949f75676910466a014ef872e53
-
SHA256
085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a
-
SHA512
1bb852e5b246e80d79f1ca1b57c5db14df52ff13ae72021523168bd3c14c5edbbfe7ca2ab3e6f5f5e29a9be95edd84b693ed0ee879dd8087faa16b6679e5af11
-
SSDEEP
3072:aVxSlB5Yw11IqvaUKowS/A4MK0FzJG/AMBxjUSmkCMQ/9h/NR5f0m:wq5r1IqyoV/Ah1G/AcQ///NR5fn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljcelan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeiieeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enihne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfffqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moalhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfjqnjkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kneicieh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doehqead.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omloag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjglbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omloag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiciana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgajhbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejgko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqpgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe -
Executes dropped EXE 64 IoCs
pid Process 2996 Lpjbad32.exe 2644 Llqcfe32.exe 2704 Moalhq32.exe 2436 Migpeiag.exe 2596 Mlelaeqk.exe 2956 Mnieom32.exe 2296 Mgajhbkg.exe 2760 Magnek32.exe 2936 Mkobnqan.exe 1928 Ndgggf32.exe 1748 Nlblkhei.exe 2616 Ncmdhb32.exe 1512 Nocemcbj.exe 3028 Nofabc32.exe 2088 Nfpjomgd.exe 792 Omloag32.exe 2900 Okalbc32.exe 2168 Obkdonic.exe 1784 Obnqem32.exe 1560 Ogjimd32.exe 1008 Oenifh32.exe 2008 Ocajbekl.exe 1652 Ofpfnqjp.exe 1420 Pjmodopf.exe 1480 Pbiciana.exe 2552 Pbkpna32.exe 2564 Pfflopdh.exe 1280 Pigeqkai.exe 2948 Plfamfpm.exe 2580 Pbpjiphi.exe 2904 Qlhnbf32.exe 1920 Qnfjna32.exe 2700 Qljkhe32.exe 108 Ahakmf32.exe 1904 Ajphib32.exe 380 Amndem32.exe 1224 Ahchbf32.exe 1584 Aiedjneg.exe 1888 Apomfh32.exe 2260 Abmibdlh.exe 2204 Alenki32.exe 788 Abpfhcje.exe 588 Aenbdoii.exe 1152 Alhjai32.exe 2116 Abbbnchb.exe 1580 Aepojo32.exe 1648 Ahokfj32.exe 1212 Bpfcgg32.exe 1624 Bagpopmj.exe 1864 Bingpmnl.exe 812 Blmdlhmp.exe 280 Bokphdld.exe 2052 Bbflib32.exe 2620 Bdhhqk32.exe 2720 Bkaqmeah.exe 2456 Bnpmipql.exe 2916 Begeknan.exe 2804 Bdjefj32.exe 768 Bkdmcdoe.exe 2132 Bnbjopoi.exe 1544 Bpafkknm.exe 2196 Bhhnli32.exe 1608 Bkfjhd32.exe 2232 Bnefdp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 2996 Lpjbad32.exe 2996 Lpjbad32.exe 2644 Llqcfe32.exe 2644 Llqcfe32.exe 2704 Moalhq32.exe 2704 Moalhq32.exe 2436 Migpeiag.exe 2436 Migpeiag.exe 2596 Mlelaeqk.exe 2596 Mlelaeqk.exe 2956 Mnieom32.exe 2956 Mnieom32.exe 2296 Mgajhbkg.exe 2296 Mgajhbkg.exe 2760 Magnek32.exe 2760 Magnek32.exe 2936 Mkobnqan.exe 2936 Mkobnqan.exe 1928 Ndgggf32.exe 1928 Ndgggf32.exe 1748 Nlblkhei.exe 1748 Nlblkhei.exe 2616 Ncmdhb32.exe 2616 Ncmdhb32.exe 1512 Nocemcbj.exe 1512 Nocemcbj.exe 3028 Nofabc32.exe 3028 Nofabc32.exe 2088 Nfpjomgd.exe 2088 Nfpjomgd.exe 792 Omloag32.exe 792 Omloag32.exe 2900 Okalbc32.exe 2900 Okalbc32.exe 2168 Obkdonic.exe 2168 Obkdonic.exe 1784 Obnqem32.exe 1784 Obnqem32.exe 1560 Ogjimd32.exe 1560 Ogjimd32.exe 1008 Oenifh32.exe 1008 Oenifh32.exe 2008 Ocajbekl.exe 2008 Ocajbekl.exe 1652 Ofpfnqjp.exe 1652 Ofpfnqjp.exe 1420 Pjmodopf.exe 1420 Pjmodopf.exe 1524 Pjpkjond.exe 1524 Pjpkjond.exe 2552 Pbkpna32.exe 2552 Pbkpna32.exe 2564 Pfflopdh.exe 2564 Pfflopdh.exe 1280 Pigeqkai.exe 1280 Pigeqkai.exe 2948 Plfamfpm.exe 2948 Plfamfpm.exe 2580 Pbpjiphi.exe 2580 Pbpjiphi.exe 2904 Qlhnbf32.exe 2904 Qlhnbf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Cjbmjplb.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File opened for modification C:\Windows\SysWOW64\Lfjqnjkh.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Oklkmnbp.exe File created C:\Windows\SysWOW64\Kaplbi32.dll Pnjdhmdo.exe File created C:\Windows\SysWOW64\Iakdqgfi.dll Qcbllb32.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File created C:\Windows\SysWOW64\Bpcbqk32.exe Bnefdp32.exe File created C:\Windows\SysWOW64\Gcaciakh.dll Ggpimica.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Mmfbogcn.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Qpmnhglp.dll Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Migpeiag.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Baoohhdn.dll Kgnnln32.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ofhick32.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pjadmnic.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Ahlgfdeq.exe File created C:\Windows\SysWOW64\Fmcqoe32.dll Pbkpna32.exe File opened for modification C:\Windows\SysWOW64\Fejgko32.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Bcqgok32.dll Feeiob32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Mkeimlfm.exe Mgimmm32.exe File created C:\Windows\SysWOW64\Bllbijej.dll Aipddi32.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Cohigamf.exe File opened for modification C:\Windows\SysWOW64\Cclkfdnc.exe Cdikkg32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Dodonf32.exe File created C:\Windows\SysWOW64\Odoghjmf.dll Ikbgmj32.exe File created C:\Windows\SysWOW64\Cgjcijfp.dll Cpkbdiqb.exe File created C:\Windows\SysWOW64\Cbamcl32.dll Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Enihne32.exe File opened for modification C:\Windows\SysWOW64\Fhffaj32.exe Ebinic32.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Knjbnh32.exe Kfbkmk32.exe File opened for modification C:\Windows\SysWOW64\Nlphkb32.exe Nialog32.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File created C:\Windows\SysWOW64\Cbkeib32.exe Comimg32.exe File created C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File opened for modification C:\Windows\SysWOW64\Bfenbpec.exe Bdgafdfp.exe File opened for modification C:\Windows\SysWOW64\Omloag32.exe Nfpjomgd.exe File created C:\Windows\SysWOW64\Bmhljm32.dll Qljkhe32.exe File created C:\Windows\SysWOW64\Nnmphi32.dll Nlphkb32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Bppoqeja.exe Bekkcljk.exe File created C:\Windows\SysWOW64\Nocemcbj.exe Ncmdhb32.exe File opened for modification C:\Windows\SysWOW64\Hpocfncj.exe Hiekid32.exe File created C:\Windows\SysWOW64\Ihdkao32.exe Iqmcpahh.exe File opened for modification C:\Windows\SysWOW64\Logbhl32.exe Lliflp32.exe File created C:\Windows\SysWOW64\Emieil32.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Feeiob32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hggomh32.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jcgogk32.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File created C:\Windows\SysWOW64\Dpmqjgdc.dll Pclfkc32.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Ebodiofk.exe File created C:\Windows\SysWOW64\Comimg32.exe Clomqk32.exe File created C:\Windows\SysWOW64\Ijlhmj32.dll Mcegmm32.exe File created C:\Windows\SysWOW64\Pedleg32.exe Pnjdhmdo.exe File created C:\Windows\SysWOW64\Edkcojga.exe Eqpgol32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4888 4716 WerFault.exe 466 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doehqead.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkobnqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknmbn32.dll" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amkoie32.dll" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhohik.dll" Pfoocjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfidhng.dll" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fioeja32.dll" Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiedkadc.dll" Omloag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Emieil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cobbhfhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfhlin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Eqijej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nofabc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmkdbj.dll" Kgbggnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojgbclk.dll" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcmfjnn.dll" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlphkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghmjpap.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpdmj32.dll" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmljjm32.dll" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdcc32.dll" Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbaebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocindg32.dll" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppmppld.dll" Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblogakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Cckace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmlecec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2996 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2996 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2996 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2996 2964 085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe 28 PID 2996 wrote to memory of 2644 2996 Lpjbad32.exe 29 PID 2996 wrote to memory of 2644 2996 Lpjbad32.exe 29 PID 2996 wrote to memory of 2644 2996 Lpjbad32.exe 29 PID 2996 wrote to memory of 2644 2996 Lpjbad32.exe 29 PID 2644 wrote to memory of 2704 2644 Llqcfe32.exe 30 PID 2644 wrote to memory of 2704 2644 Llqcfe32.exe 30 PID 2644 wrote to memory of 2704 2644 Llqcfe32.exe 30 PID 2644 wrote to memory of 2704 2644 Llqcfe32.exe 30 PID 2704 wrote to memory of 2436 2704 Moalhq32.exe 31 PID 2704 wrote to memory of 2436 2704 Moalhq32.exe 31 PID 2704 wrote to memory of 2436 2704 Moalhq32.exe 31 PID 2704 wrote to memory of 2436 2704 Moalhq32.exe 31 PID 2436 wrote to memory of 2596 2436 Migpeiag.exe 32 PID 2436 wrote to memory of 2596 2436 Migpeiag.exe 32 PID 2436 wrote to memory of 2596 2436 Migpeiag.exe 32 PID 2436 wrote to memory of 2596 2436 Migpeiag.exe 32 PID 2596 wrote to memory of 2956 2596 Mlelaeqk.exe 33 PID 2596 wrote to memory of 2956 2596 Mlelaeqk.exe 33 PID 2596 wrote to memory of 2956 2596 Mlelaeqk.exe 33 PID 2596 wrote to memory of 2956 2596 Mlelaeqk.exe 33 PID 2956 wrote to memory of 2296 2956 Mnieom32.exe 34 PID 2956 wrote to memory of 2296 2956 Mnieom32.exe 34 PID 2956 wrote to memory of 2296 2956 Mnieom32.exe 34 PID 2956 wrote to memory of 2296 2956 Mnieom32.exe 34 PID 2296 wrote to memory of 2760 2296 Mgajhbkg.exe 35 PID 2296 wrote to memory of 2760 2296 Mgajhbkg.exe 35 PID 2296 wrote to memory of 2760 2296 Mgajhbkg.exe 35 PID 2296 wrote to memory of 2760 2296 Mgajhbkg.exe 35 PID 2760 wrote to memory of 2936 2760 Magnek32.exe 36 PID 2760 wrote to memory of 2936 2760 Magnek32.exe 36 PID 2760 wrote to memory of 2936 2760 Magnek32.exe 36 PID 2760 wrote to memory of 2936 2760 Magnek32.exe 36 PID 2936 wrote to memory of 1928 2936 Mkobnqan.exe 37 PID 2936 wrote to memory of 1928 2936 Mkobnqan.exe 37 PID 2936 wrote to memory of 1928 2936 Mkobnqan.exe 37 PID 2936 wrote to memory of 1928 2936 Mkobnqan.exe 37 PID 1928 wrote to memory of 1748 1928 Ndgggf32.exe 38 PID 1928 wrote to memory of 1748 1928 Ndgggf32.exe 38 PID 1928 wrote to memory of 1748 1928 Ndgggf32.exe 38 PID 1928 wrote to memory of 1748 1928 Ndgggf32.exe 38 PID 1748 wrote to memory of 2616 1748 Nlblkhei.exe 39 PID 1748 wrote to memory of 2616 1748 Nlblkhei.exe 39 PID 1748 wrote to memory of 2616 1748 Nlblkhei.exe 39 PID 1748 wrote to memory of 2616 1748 Nlblkhei.exe 39 PID 2616 wrote to memory of 1512 2616 Ncmdhb32.exe 40 PID 2616 wrote to memory of 1512 2616 Ncmdhb32.exe 40 PID 2616 wrote to memory of 1512 2616 Ncmdhb32.exe 40 PID 2616 wrote to memory of 1512 2616 Ncmdhb32.exe 40 PID 1512 wrote to memory of 3028 1512 Nocemcbj.exe 41 PID 1512 wrote to memory of 3028 1512 Nocemcbj.exe 41 PID 1512 wrote to memory of 3028 1512 Nocemcbj.exe 41 PID 1512 wrote to memory of 3028 1512 Nocemcbj.exe 41 PID 3028 wrote to memory of 2088 3028 Nofabc32.exe 42 PID 3028 wrote to memory of 2088 3028 Nofabc32.exe 42 PID 3028 wrote to memory of 2088 3028 Nofabc32.exe 42 PID 3028 wrote to memory of 2088 3028 Nofabc32.exe 42 PID 2088 wrote to memory of 792 2088 Nfpjomgd.exe 43 PID 2088 wrote to memory of 792 2088 Nfpjomgd.exe 43 PID 2088 wrote to memory of 792 2088 Nfpjomgd.exe 43 PID 2088 wrote to memory of 792 2088 Nfpjomgd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\085a99a1454183c9c5812ae20c907515ae47aa5aea4a8a845084d23596b56f4a_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe27⤵
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe34⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe36⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe38⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe39⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe40⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe41⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe44⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe45⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe48⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe49⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe51⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe52⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe53⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe55⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe57⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe58⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe59⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe60⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe61⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe63⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe64⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe65⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe67⤵PID:1660
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe68⤵PID:412
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe70⤵PID:2864
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe72⤵PID:2340
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe74⤵PID:2016
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe75⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe76⤵PID:2476
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe77⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe79⤵PID:1956
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe80⤵PID:1896
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe81⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe84⤵
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe85⤵PID:2240
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe86⤵PID:1788
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe87⤵PID:1768
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe88⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe89⤵PID:1688
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe90⤵PID:2364
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe92⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe93⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe94⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1892 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe97⤵PID:2744
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe98⤵PID:1708
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe100⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe101⤵PID:1848
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe102⤵PID:2224
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe103⤵PID:2236
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe105⤵PID:1704
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe107⤵PID:1532
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe108⤵PID:908
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe109⤵PID:2984
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe111⤵PID:1852
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe112⤵PID:2520
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe114⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe115⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe116⤵
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe118⤵PID:1880
-
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe119⤵PID:1352
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe120⤵PID:1436
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe121⤵PID:1400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-