Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 01:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe
-
Size
92KB
-
MD5
4969785a6b38a307f11cb29803f14d80
-
SHA1
a5868a06edc615ff182a473ba6f1a98a13b6adfa
-
SHA256
7b7482e3e82226b0299e518dc1fe34edb875f66ed48e5d3d1e7adf91867b80d2
-
SHA512
0cbfbc039436e8bce6f4e00d770c50ce6366450c9457b2cca2911c24fac65b0bbeed0b70b6920443c4c21987267fdc83b60987406e15072145e3e8ac666e793b
-
SSDEEP
1536:hNihG8wQwYYDfqnwD0FcoWu9N/PmlEmpQOpjXq+66DFUABABOVLefE3:3ihG8VJYrqnwwV3mlOMj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnccfpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalmklfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondajnme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjmkcbcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbacbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhahlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmodopf.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Ngkmnacm.exe 1756 Njiijlbp.exe 2712 Nhlifi32.exe 2620 Nqcagfim.exe 2596 Nofabc32.exe 2508 Ncancbha.exe 556 Nfpjomgd.exe 2808 Nmjblg32.exe 2964 Nkmbgdfl.exe 1952 Nohnhc32.exe 1644 Nbfjdn32.exe 2448 Ofbfdmeb.exe 2348 Omloag32.exe 1420 Okoomd32.exe 2904 Oojknblb.exe 2020 Ofdcjm32.exe 1312 Odgcfijj.exe 1488 Oicpfh32.exe 1828 Ogfpbeim.exe 1688 Oomhcbjp.exe 2100 Onphoo32.exe 1720 Obkdonic.exe 1300 Oqndkj32.exe 928 Odjpkihg.exe 344 Oiellh32.exe 2008 Oghlgdgk.exe 2896 Ojficpfn.exe 2756 Obnqem32.exe 2472 Oelmai32.exe 1668 Ocomlemo.exe 2856 Okfencna.exe 2652 Ondajnme.exe 2504 Omgaek32.exe 2632 Oenifh32.exe 1200 Ocajbekl.exe 1512 Ojkboo32.exe 2272 Ongnonkb.exe 1664 Pminkk32.exe 1296 Pphjgfqq.exe 860 Pgobhcac.exe 2204 Pfbccp32.exe 2412 Pjmodopf.exe 1676 Ppjglfon.exe 1040 Ppjglfon.exe 1076 Pcfcmd32.exe 1428 Pbiciana.exe 1400 Pfdpip32.exe 2164 Pjpkjond.exe 2740 Pmnhfjmg.exe 3048 Ppmdbe32.exe 2560 Pfflopdh.exe 2664 Piehkkcl.exe 1680 Pmqdkj32.exe 1368 Plcdgfbo.exe 2052 Ppoqge32.exe 1888 Pnbacbac.exe 596 Pbmmcq32.exe 1356 Pelipl32.exe 1796 Pigeqkai.exe 1636 Phjelg32.exe 2956 Plfamfpm.exe 864 Pndniaop.exe 3028 Pbpjiphi.exe 2884 Pabjem32.exe -
Loads dropped DLL 64 IoCs
pid Process 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 2088 Ngkmnacm.exe 2088 Ngkmnacm.exe 1756 Njiijlbp.exe 1756 Njiijlbp.exe 2712 Nhlifi32.exe 2712 Nhlifi32.exe 2620 Nqcagfim.exe 2620 Nqcagfim.exe 2596 Nofabc32.exe 2596 Nofabc32.exe 2508 Ncancbha.exe 2508 Ncancbha.exe 556 Nfpjomgd.exe 556 Nfpjomgd.exe 2808 Nmjblg32.exe 2808 Nmjblg32.exe 2964 Nkmbgdfl.exe 2964 Nkmbgdfl.exe 1952 Nohnhc32.exe 1952 Nohnhc32.exe 1644 Nbfjdn32.exe 1644 Nbfjdn32.exe 2448 Ofbfdmeb.exe 2448 Ofbfdmeb.exe 2348 Omloag32.exe 2348 Omloag32.exe 1420 Okoomd32.exe 1420 Okoomd32.exe 2904 Oojknblb.exe 2904 Oojknblb.exe 2020 Ofdcjm32.exe 2020 Ofdcjm32.exe 1312 Odgcfijj.exe 1312 Odgcfijj.exe 1488 Oicpfh32.exe 1488 Oicpfh32.exe 1828 Ogfpbeim.exe 1828 Ogfpbeim.exe 1688 Oomhcbjp.exe 1688 Oomhcbjp.exe 2100 Onphoo32.exe 2100 Onphoo32.exe 1720 Obkdonic.exe 1720 Obkdonic.exe 1300 Oqndkj32.exe 1300 Oqndkj32.exe 928 Odjpkihg.exe 928 Odjpkihg.exe 344 Oiellh32.exe 344 Oiellh32.exe 2008 Oghlgdgk.exe 2008 Oghlgdgk.exe 2896 Ojficpfn.exe 2896 Ojficpfn.exe 2756 Obnqem32.exe 2756 Obnqem32.exe 2472 Oelmai32.exe 2472 Oelmai32.exe 1668 Ocomlemo.exe 1668 Ocomlemo.exe 2856 Okfencna.exe 2856 Okfencna.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe Fjgoce32.exe File opened for modification C:\Windows\SysWOW64\Flmefm32.exe Fmjejphb.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Adeplhib.exe Qecoqk32.exe File opened for modification C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bkdmcdoe.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Pfbccp32.exe Pgobhcac.exe File created C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Dnilobkm.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Ddokpmfo.exe Dflkdp32.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dgmglh32.exe File created C:\Windows\SysWOW64\Bccnbmal.dll Faagpp32.exe File created C:\Windows\SysWOW64\Hgbebiao.exe Gddifnbk.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File opened for modification C:\Windows\SysWOW64\Ocajbekl.exe Oenifh32.exe File created C:\Windows\SysWOW64\Obopfpji.dll Pminkk32.exe File created C:\Windows\SysWOW64\Aenbdoii.exe Afkbib32.exe File created C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Ddagfm32.exe File created C:\Windows\SysWOW64\Nbdppp32.dll Omgaek32.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Piehkkcl.exe Pfflopdh.exe File created C:\Windows\SysWOW64\Pabjem32.exe Pbpjiphi.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File created C:\Windows\SysWOW64\Qefpjhef.dll Cfeddafl.exe File opened for modification C:\Windows\SysWOW64\Fphafl32.exe Flmefm32.exe File created C:\Windows\SysWOW64\Ahpjhc32.dll Gieojq32.exe File created C:\Windows\SysWOW64\Admemg32.exe Apajlhka.exe File created C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Epfhbign.exe File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe Fbgmbg32.exe File created C:\Windows\SysWOW64\Eeqdep32.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Ebedndfa.exe Enihne32.exe File opened for modification C:\Windows\SysWOW64\Gmgdddmq.exe Goddhg32.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Bhpdae32.dll Hckcmjep.exe File created C:\Windows\SysWOW64\Ognnoaka.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Nmjblg32.exe File created C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File created C:\Windows\SysWOW64\Leajegob.dll Bopicc32.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dcfdgiid.exe File opened for modification C:\Windows\SysWOW64\Fbdqmghm.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Abmjii32.dll Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Ondajnme.exe Okfencna.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Coklgg32.exe File created C:\Windows\SysWOW64\Kdanej32.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Cphlljge.exe Cllpkl32.exe File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe Dhmcfkme.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Hlcgeo32.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Pelipl32.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Higdqfol.dll Pabjem32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qjmkcbcb.exe -
Program crash 1 IoCs
pid pid_target Process 4220 4176 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fglhobmg.dll" Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oojknblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqamandk.dll" Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnhfjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll" Dkmmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebinic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdloao.dll" Pbiciana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlib32.dll" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckignd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll" Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Penfelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plcdgfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdlhchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhemi32.dll" Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbifehk.dll" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fphafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" Emcbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppoqge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epieghdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhgoq32.dll" Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjpkihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhfilfi.dll" Cjpqdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2088 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2088 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2088 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 28 PID 2032 wrote to memory of 2088 2032 4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 1756 2088 Ngkmnacm.exe 29 PID 2088 wrote to memory of 1756 2088 Ngkmnacm.exe 29 PID 2088 wrote to memory of 1756 2088 Ngkmnacm.exe 29 PID 2088 wrote to memory of 1756 2088 Ngkmnacm.exe 29 PID 1756 wrote to memory of 2712 1756 Njiijlbp.exe 30 PID 1756 wrote to memory of 2712 1756 Njiijlbp.exe 30 PID 1756 wrote to memory of 2712 1756 Njiijlbp.exe 30 PID 1756 wrote to memory of 2712 1756 Njiijlbp.exe 30 PID 2712 wrote to memory of 2620 2712 Nhlifi32.exe 31 PID 2712 wrote to memory of 2620 2712 Nhlifi32.exe 31 PID 2712 wrote to memory of 2620 2712 Nhlifi32.exe 31 PID 2712 wrote to memory of 2620 2712 Nhlifi32.exe 31 PID 2620 wrote to memory of 2596 2620 Nqcagfim.exe 32 PID 2620 wrote to memory of 2596 2620 Nqcagfim.exe 32 PID 2620 wrote to memory of 2596 2620 Nqcagfim.exe 32 PID 2620 wrote to memory of 2596 2620 Nqcagfim.exe 32 PID 2596 wrote to memory of 2508 2596 Nofabc32.exe 33 PID 2596 wrote to memory of 2508 2596 Nofabc32.exe 33 PID 2596 wrote to memory of 2508 2596 Nofabc32.exe 33 PID 2596 wrote to memory of 2508 2596 Nofabc32.exe 33 PID 2508 wrote to memory of 556 2508 Ncancbha.exe 34 PID 2508 wrote to memory of 556 2508 Ncancbha.exe 34 PID 2508 wrote to memory of 556 2508 Ncancbha.exe 34 PID 2508 wrote to memory of 556 2508 Ncancbha.exe 34 PID 556 wrote to memory of 2808 556 Nfpjomgd.exe 35 PID 556 wrote to memory of 2808 556 Nfpjomgd.exe 35 PID 556 wrote to memory of 2808 556 Nfpjomgd.exe 35 PID 556 wrote to memory of 2808 556 Nfpjomgd.exe 35 PID 2808 wrote to memory of 2964 2808 Nmjblg32.exe 36 PID 2808 wrote to memory of 2964 2808 Nmjblg32.exe 36 PID 2808 wrote to memory of 2964 2808 Nmjblg32.exe 36 PID 2808 wrote to memory of 2964 2808 Nmjblg32.exe 36 PID 2964 wrote to memory of 1952 2964 Nkmbgdfl.exe 37 PID 2964 wrote to memory of 1952 2964 Nkmbgdfl.exe 37 PID 2964 wrote to memory of 1952 2964 Nkmbgdfl.exe 37 PID 2964 wrote to memory of 1952 2964 Nkmbgdfl.exe 37 PID 1952 wrote to memory of 1644 1952 Nohnhc32.exe 38 PID 1952 wrote to memory of 1644 1952 Nohnhc32.exe 38 PID 1952 wrote to memory of 1644 1952 Nohnhc32.exe 38 PID 1952 wrote to memory of 1644 1952 Nohnhc32.exe 38 PID 1644 wrote to memory of 2448 1644 Nbfjdn32.exe 39 PID 1644 wrote to memory of 2448 1644 Nbfjdn32.exe 39 PID 1644 wrote to memory of 2448 1644 Nbfjdn32.exe 39 PID 1644 wrote to memory of 2448 1644 Nbfjdn32.exe 39 PID 2448 wrote to memory of 2348 2448 Ofbfdmeb.exe 40 PID 2448 wrote to memory of 2348 2448 Ofbfdmeb.exe 40 PID 2448 wrote to memory of 2348 2448 Ofbfdmeb.exe 40 PID 2448 wrote to memory of 2348 2448 Ofbfdmeb.exe 40 PID 2348 wrote to memory of 1420 2348 Omloag32.exe 41 PID 2348 wrote to memory of 1420 2348 Omloag32.exe 41 PID 2348 wrote to memory of 1420 2348 Omloag32.exe 41 PID 2348 wrote to memory of 1420 2348 Omloag32.exe 41 PID 1420 wrote to memory of 2904 1420 Okoomd32.exe 42 PID 1420 wrote to memory of 2904 1420 Okoomd32.exe 42 PID 1420 wrote to memory of 2904 1420 Okoomd32.exe 42 PID 1420 wrote to memory of 2904 1420 Okoomd32.exe 42 PID 2904 wrote to memory of 2020 2904 Oojknblb.exe 43 PID 2904 wrote to memory of 2020 2904 Oojknblb.exe 43 PID 2904 wrote to memory of 2020 2904 Oojknblb.exe 43 PID 2904 wrote to memory of 2020 2904 Oojknblb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4969785a6b38a307f11cb29803f14d80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe36⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe38⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe40⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe44⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe45⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe46⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe48⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe49⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe51⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe54⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe59⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe60⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe61⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe63⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe66⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe68⤵PID:2708
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe69⤵PID:2676
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe71⤵PID:2396
-
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe72⤵PID:2060
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe73⤵PID:1932
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe74⤵PID:2356
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe76⤵PID:2828
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe77⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe78⤵PID:2144
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe80⤵PID:2080
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe81⤵PID:872
-
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe82⤵PID:2588
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe83⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe84⤵PID:2276
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe86⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1252 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe88⤵PID:2160
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe89⤵PID:1056
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe90⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe91⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe93⤵PID:2440
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe94⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe95⤵PID:832
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe98⤵PID:1964
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe99⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe100⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe101⤵PID:1276
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe102⤵PID:868
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe103⤵PID:1748
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe104⤵PID:2764
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe105⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe108⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe109⤵PID:2172
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe111⤵PID:2092
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe112⤵PID:2724
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe113⤵PID:1884
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe114⤵
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe115⤵PID:592
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe116⤵PID:2852
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe117⤵PID:2304
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe118⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe119⤵PID:1784
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-