Analysis
-
max time kernel
139s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 15:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe
-
Size
80KB
-
MD5
ccefdeb65c80e20fe4455f335e1f7580
-
SHA1
2ea1f2b2ad8c03d87bd9b1755219b11faf2871fd
-
SHA256
3759ccfebcfb31a613553ec954f4c3372a7875e75f7d528196cfccdb868038d8
-
SHA512
b1734f131d4a268a3084b79f025dbdd636171834d3b86c9c85063acdfe7f14abb6e5f1880a7a7355a07e5595c417b0bacd24f566ad248cf34bd70a2997792482
-
SSDEEP
1536:kGqk8jU33zVcCQK6Zk7iV3SN+zL20gJi1i9:cq3UKBiVigzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpechop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadlclim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bockjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajneip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhfnccl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgekbljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnadfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdimopp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfabnjjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibeql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldoaklml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebkhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekfan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqhbmqqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmaioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffdpghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpidngil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnnnnfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doeiljfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faihkbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpladg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Debeijoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmabdibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojllan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdgencl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efikji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kacphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfknkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpego32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocegdjij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjdjgjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjinkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpllkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpolqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenahpha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphifcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqaeco32.exe -
Executes dropped EXE 64 IoCs
pid Process 3428 Nqifafjb.exe 2668 Ngcnnq32.exe 2352 Nojfon32.exe 2640 Nnmfkkhl.exe 4812 Nqlbgfhp.exe 4296 Ndgoge32.exe 824 Ngfkcp32.exe 956 Nkagdoge.exe 3512 Nnpcpjfi.exe 2676 Nbkoai32.exe 3832 Nejkmdnf.exe 2880 Nkccjo32.exe 4072 Nbnlfimp.exe 3548 Nelhbdlc.exe 1312 Nigdcc32.exe 2936 Noalpmli.exe 3328 Oacige32.exe 212 Oijqibbj.exe 4720 Okhmenan.exe 3960 Oodiem32.exe 3520 Obbeah32.exe 3784 Oilmnbpg.exe 3468 Ogonjo32.exe 4580 Okkjjnok.exe 1088 Oniffino.exe 5064 Oagbbdnb.exe 2912 Ogajooeo.exe 3748 Ophbqlea.exe 4352 Obgomgee.exe 4108 Oeekicdi.exe 3696 Ogdgencl.exe 3900 Olocem32.exe 1864 Oalknd32.exe 2024 Oehgnbbf.exe 1404 Oiccoa32.exe 4972 Ogfcjnaj.exe 2400 Opmllk32.exe 1192 Pblhhg32.exe 1940 Paohccgj.exe 2132 Piepdahl.exe 1172 Pldlqlgp.exe 2404 Pnbimhfd.exe 3320 Paaeiceg.exe 888 Pihmjqfj.exe 3156 Plfiflen.exe 4808 Pneebg32.exe 1656 Pbpacfmj.exe 3264 Peonoaln.exe 2832 Phmjkmka.exe 3216 Plifll32.exe 4488 Pngbhg32.exe 2144 Pbbnhfjh.exe 1724 Peajdajk.exe 3908 Pimfep32.exe 2036 Plkbak32.exe 5036 Ppgobjia.exe 4712 Pbekne32.exe 1808 Pecgja32.exe 4036 Piockppb.exe 2160 Plmogkoe.exe 3048 Qnlkcfni.exe 4304 Qbggce32.exe 4528 Qefdpq32.exe 4376 Qiappono.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dldpkoil.exe Daolnf32.exe File created C:\Windows\SysWOW64\Cdahgfpd.dll Cpgqpe32.exe File created C:\Windows\SysWOW64\Fbnhphbp.exe Fckhdk32.exe File opened for modification C:\Windows\SysWOW64\Jpgdbg32.exe Iinlemia.exe File created C:\Windows\SysWOW64\Jjqehkaf.dll Dhkapp32.exe File opened for modification C:\Windows\SysWOW64\Elbmlmml.exe Ehgqln32.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File created C:\Windows\SysWOW64\Dohheo32.dll Pbpacfmj.exe File created C:\Windows\SysWOW64\Gmmocpjk.exe Giacca32.exe File created C:\Windows\SysWOW64\Lgmliida.dll Pjdilcla.exe File opened for modification C:\Windows\SysWOW64\Aafgkpcp.exe Abcgoc32.exe File opened for modification C:\Windows\SysWOW64\Anfmjhmd.exe Afoeiklb.exe File created C:\Windows\SysWOW64\Ecbenm32.exe Eofinnkf.exe File opened for modification C:\Windows\SysWOW64\Fbpnkama.exe Fdlnbm32.exe File created C:\Windows\SysWOW64\Jmpgldhg.exe Jcgbco32.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Nqklmpdd.exe File created C:\Windows\SysWOW64\Elhcgeja.dll Gcimkc32.exe File created C:\Windows\SysWOW64\Icgjmapi.exe Immapg32.exe File opened for modification C:\Windows\SysWOW64\Lebkhc32.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Plcojh32.dll Obgomgee.exe File created C:\Windows\SysWOW64\Ppgobjia.exe Plkbak32.exe File created C:\Windows\SysWOW64\Caimgncj.exe Ccfmla32.exe File opened for modification C:\Windows\SysWOW64\Hmdedo32.exe Hihicplj.exe File opened for modification C:\Windows\SysWOW64\Fkmchi32.exe Eepjpb32.exe File opened for modification C:\Windows\SysWOW64\Bfhhoi32.exe Bcjlcn32.exe File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe Cagobalc.exe File created C:\Windows\SysWOW64\Hcnnaikp.exe Hpbaqj32.exe File created C:\Windows\SysWOW64\Fhglla32.dll Ecjhcg32.exe File created C:\Windows\SysWOW64\Kgldjcmk.dll Qmkadgpo.exe File created C:\Windows\SysWOW64\Pgopffec.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Pjkolmml.dll Fakdpb32.exe File created C:\Windows\SysWOW64\Peonoaln.exe Pbpacfmj.exe File created C:\Windows\SysWOW64\Ejgdpg32.exe Eflhoigi.exe File created C:\Windows\SysWOW64\Fqmlhpla.exe Fifdgblo.exe File created C:\Windows\SysWOW64\Coojfa32.exe Clqnjf32.exe File created C:\Windows\SysWOW64\Lghekack.dll Fobiilai.exe File created C:\Windows\SysWOW64\Ojdamdma.dll Cklaknjd.exe File opened for modification C:\Windows\SysWOW64\Ahblmjhj.exe Apggihko.exe File created C:\Windows\SysWOW64\Gmagda32.dll Blpechop.exe File created C:\Windows\SysWOW64\Bjagjhnc.exe Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Hkkhqd32.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Aaoaja32.exe Ablaodbm.exe File created C:\Windows\SysWOW64\Pbkamqmd.exe Pjdilcla.exe File created C:\Windows\SysWOW64\Edpnfo32.exe Eabbjc32.exe File created C:\Windows\SysWOW64\Naekcf32.dll Olkhmi32.exe File created C:\Windows\SysWOW64\Ndclfb32.dll Laopdgcg.exe File opened for modification C:\Windows\SysWOW64\Ahoimd32.exe Abbpem32.exe File opened for modification C:\Windows\SysWOW64\Hmabdibj.exe Gdjjckag.exe File opened for modification C:\Windows\SysWOW64\Fmmfmbhn.exe Ecdbdl32.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Oqkdcn32.exe Ogcpjhoq.exe File created C:\Windows\SysWOW64\Iehfdi32.exe Icgjmapi.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bjagjhnc.exe File opened for modification C:\Windows\SysWOW64\Nelhbdlc.exe Nbnlfimp.exe File created C:\Windows\SysWOW64\Oilmnbpg.exe Obbeah32.exe File opened for modification C:\Windows\SysWOW64\Phmjkmka.exe Peonoaln.exe File created C:\Windows\SysWOW64\Cajlhqjp.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Eimmfkfe.dll Qcepkg32.exe File opened for modification C:\Windows\SysWOW64\Bahmfj32.exe Ajneip32.exe File created C:\Windows\SysWOW64\Phmjkmka.exe Peonoaln.exe File created C:\Windows\SysWOW64\Djdmffnn.exe Dhfajjoj.exe File created C:\Windows\SysWOW64\Bpidngil.exe Ahblmjhj.exe File opened for modification C:\Windows\SysWOW64\Mdehlk32.exe Mipcob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15036 14888 WerFault.exe 779 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfjabqq.dll" Bpnnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjbpglo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocegdjij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlnbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peonoaln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpladg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkceffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaoaja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpechop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbopfj32.dll" Djnaji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqdoboli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doqpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll" Ojllan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfiflen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eodlho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijjgi32.dll" Ndgoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipehkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cekohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" Cmnpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmmocpjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" Dccbbhld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iemppiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjdldfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll" Gbcakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkamqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icifbang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfhig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldlqlgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegjejoc.dll" Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlmbpgdl.dll" Eekaebcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbeqmoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipnfjmn.dll" Oehgnbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" Nbhkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okjbpglo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" Lebkhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmocba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigdcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogajooeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pniggbmk.dll" Ekacmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjbmk32.dll" Qhdpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhgfdho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll" Jmpgldhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjmgbb.dll" Opmllk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidbflcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igoedk32.dll" Ekcpbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogonjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiccoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcojmgm.dll" Aldegj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 3428 1812 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 82 PID 1812 wrote to memory of 3428 1812 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 82 PID 1812 wrote to memory of 3428 1812 ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe 82 PID 3428 wrote to memory of 2668 3428 Nqifafjb.exe 83 PID 3428 wrote to memory of 2668 3428 Nqifafjb.exe 83 PID 3428 wrote to memory of 2668 3428 Nqifafjb.exe 83 PID 2668 wrote to memory of 2352 2668 Ngcnnq32.exe 84 PID 2668 wrote to memory of 2352 2668 Ngcnnq32.exe 84 PID 2668 wrote to memory of 2352 2668 Ngcnnq32.exe 84 PID 2352 wrote to memory of 2640 2352 Nojfon32.exe 85 PID 2352 wrote to memory of 2640 2352 Nojfon32.exe 85 PID 2352 wrote to memory of 2640 2352 Nojfon32.exe 85 PID 2640 wrote to memory of 4812 2640 Nnmfkkhl.exe 86 PID 2640 wrote to memory of 4812 2640 Nnmfkkhl.exe 86 PID 2640 wrote to memory of 4812 2640 Nnmfkkhl.exe 86 PID 4812 wrote to memory of 4296 4812 Nqlbgfhp.exe 87 PID 4812 wrote to memory of 4296 4812 Nqlbgfhp.exe 87 PID 4812 wrote to memory of 4296 4812 Nqlbgfhp.exe 87 PID 4296 wrote to memory of 824 4296 Ndgoge32.exe 88 PID 4296 wrote to memory of 824 4296 Ndgoge32.exe 88 PID 4296 wrote to memory of 824 4296 Ndgoge32.exe 88 PID 824 wrote to memory of 956 824 Ngfkcp32.exe 89 PID 824 wrote to memory of 956 824 Ngfkcp32.exe 89 PID 824 wrote to memory of 956 824 Ngfkcp32.exe 89 PID 956 wrote to memory of 3512 956 Nkagdoge.exe 90 PID 956 wrote to memory of 3512 956 Nkagdoge.exe 90 PID 956 wrote to memory of 3512 956 Nkagdoge.exe 90 PID 3512 wrote to memory of 2676 3512 Nnpcpjfi.exe 91 PID 3512 wrote to memory of 2676 3512 Nnpcpjfi.exe 91 PID 3512 wrote to memory of 2676 3512 Nnpcpjfi.exe 91 PID 2676 wrote to memory of 3832 2676 Nbkoai32.exe 92 PID 2676 wrote to memory of 3832 2676 Nbkoai32.exe 92 PID 2676 wrote to memory of 3832 2676 Nbkoai32.exe 92 PID 3832 wrote to memory of 2880 3832 Nejkmdnf.exe 94 PID 3832 wrote to memory of 2880 3832 Nejkmdnf.exe 94 PID 3832 wrote to memory of 2880 3832 Nejkmdnf.exe 94 PID 2880 wrote to memory of 4072 2880 Nkccjo32.exe 95 PID 2880 wrote to memory of 4072 2880 Nkccjo32.exe 95 PID 2880 wrote to memory of 4072 2880 Nkccjo32.exe 95 PID 4072 wrote to memory of 3548 4072 Nbnlfimp.exe 96 PID 4072 wrote to memory of 3548 4072 Nbnlfimp.exe 96 PID 4072 wrote to memory of 3548 4072 Nbnlfimp.exe 96 PID 3548 wrote to memory of 1312 3548 Nelhbdlc.exe 97 PID 3548 wrote to memory of 1312 3548 Nelhbdlc.exe 97 PID 3548 wrote to memory of 1312 3548 Nelhbdlc.exe 97 PID 1312 wrote to memory of 2936 1312 Nigdcc32.exe 99 PID 1312 wrote to memory of 2936 1312 Nigdcc32.exe 99 PID 1312 wrote to memory of 2936 1312 Nigdcc32.exe 99 PID 2936 wrote to memory of 3328 2936 Noalpmli.exe 100 PID 2936 wrote to memory of 3328 2936 Noalpmli.exe 100 PID 2936 wrote to memory of 3328 2936 Noalpmli.exe 100 PID 3328 wrote to memory of 212 3328 Oacige32.exe 101 PID 3328 wrote to memory of 212 3328 Oacige32.exe 101 PID 3328 wrote to memory of 212 3328 Oacige32.exe 101 PID 212 wrote to memory of 4720 212 Oijqibbj.exe 102 PID 212 wrote to memory of 4720 212 Oijqibbj.exe 102 PID 212 wrote to memory of 4720 212 Oijqibbj.exe 102 PID 4720 wrote to memory of 3960 4720 Okhmenan.exe 103 PID 4720 wrote to memory of 3960 4720 Okhmenan.exe 103 PID 4720 wrote to memory of 3960 4720 Okhmenan.exe 103 PID 3960 wrote to memory of 3520 3960 Oodiem32.exe 104 PID 3960 wrote to memory of 3520 3960 Oodiem32.exe 104 PID 3960 wrote to memory of 3520 3960 Oodiem32.exe 104 PID 3520 wrote to memory of 3784 3520 Obbeah32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ccefdeb65c80e20fe4455f335e1f7580_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Nqifafjb.exeC:\Windows\system32\Nqifafjb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Ngcnnq32.exeC:\Windows\system32\Ngcnnq32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Nojfon32.exeC:\Windows\system32\Nojfon32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Nnmfkkhl.exeC:\Windows\system32\Nnmfkkhl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Nqlbgfhp.exeC:\Windows\system32\Nqlbgfhp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Ndgoge32.exeC:\Windows\system32\Ndgoge32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Ngfkcp32.exeC:\Windows\system32\Ngfkcp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Nkagdoge.exeC:\Windows\system32\Nkagdoge.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Nnpcpjfi.exeC:\Windows\system32\Nnpcpjfi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Nbkoai32.exeC:\Windows\system32\Nbkoai32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Nejkmdnf.exeC:\Windows\system32\Nejkmdnf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Nkccjo32.exeC:\Windows\system32\Nkccjo32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Nbnlfimp.exeC:\Windows\system32\Nbnlfimp.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Nelhbdlc.exeC:\Windows\system32\Nelhbdlc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\Nigdcc32.exeC:\Windows\system32\Nigdcc32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Noalpmli.exeC:\Windows\system32\Noalpmli.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Oacige32.exeC:\Windows\system32\Oacige32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Oijqibbj.exeC:\Windows\system32\Oijqibbj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Okhmenan.exeC:\Windows\system32\Okhmenan.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Oodiem32.exeC:\Windows\system32\Oodiem32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Obbeah32.exeC:\Windows\system32\Obbeah32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Oilmnbpg.exeC:\Windows\system32\Oilmnbpg.exe23⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\Ogonjo32.exeC:\Windows\system32\Ogonjo32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3468 -
C:\Windows\SysWOW64\Okkjjnok.exeC:\Windows\system32\Okkjjnok.exe25⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Oniffino.exeC:\Windows\system32\Oniffino.exe26⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Oagbbdnb.exeC:\Windows\system32\Oagbbdnb.exe27⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Ogajooeo.exeC:\Windows\system32\Ogajooeo.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ophbqlea.exeC:\Windows\system32\Ophbqlea.exe29⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Obgomgee.exeC:\Windows\system32\Obgomgee.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Oeekicdi.exeC:\Windows\system32\Oeekicdi.exe31⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Ogdgencl.exeC:\Windows\system32\Ogdgencl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Olocem32.exeC:\Windows\system32\Olocem32.exe33⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Oalknd32.exeC:\Windows\system32\Oalknd32.exe34⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Oehgnbbf.exeC:\Windows\system32\Oehgnbbf.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Oiccoa32.exeC:\Windows\system32\Oiccoa32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Ogfcjnaj.exeC:\Windows\system32\Ogfcjnaj.exe37⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Opmllk32.exeC:\Windows\system32\Opmllk32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Pblhhg32.exeC:\Windows\system32\Pblhhg32.exe39⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Paohccgj.exeC:\Windows\system32\Paohccgj.exe40⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Piepdahl.exeC:\Windows\system32\Piepdahl.exe41⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pldlqlgp.exeC:\Windows\system32\Pldlqlgp.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Pnbimhfd.exeC:\Windows\system32\Pnbimhfd.exe43⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Paaeiceg.exeC:\Windows\system32\Paaeiceg.exe44⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Pihmjqfj.exeC:\Windows\system32\Pihmjqfj.exe45⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Plfiflen.exeC:\Windows\system32\Plfiflen.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Pneebg32.exeC:\Windows\system32\Pneebg32.exe47⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Pbpacfmj.exeC:\Windows\system32\Pbpacfmj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3264 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Plifll32.exeC:\Windows\system32\Plifll32.exe51⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe52⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe53⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Peajdajk.exeC:\Windows\system32\Peajdajk.exe54⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Pimfep32.exeC:\Windows\system32\Pimfep32.exe55⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Ppgobjia.exeC:\Windows\system32\Ppgobjia.exe57⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe58⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Pecgja32.exeC:\Windows\system32\Pecgja32.exe59⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe60⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe61⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Qnlkcfni.exeC:\Windows\system32\Qnlkcfni.exe62⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe63⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Qefdpq32.exeC:\Windows\system32\Qefdpq32.exe64⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe65⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Qhdpll32.exeC:\Windows\system32\Qhdpll32.exe66⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Qnnhhflf.exeC:\Windows\system32\Qnnhhflf.exe68⤵PID:3208
-
C:\Windows\SysWOW64\Qamdda32.exeC:\Windows\system32\Qamdda32.exe69⤵PID:2512
-
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe70⤵PID:1516
-
C:\Windows\SysWOW64\Qhfmalbg.exeC:\Windows\system32\Qhfmalbg.exe71⤵PID:4560
-
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe72⤵PID:2272
-
C:\Windows\SysWOW64\Aoqenf32.exeC:\Windows\system32\Aoqenf32.exe73⤵PID:3096
-
C:\Windows\SysWOW64\Ablaodbm.exeC:\Windows\system32\Ablaodbm.exe74⤵
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe75⤵
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Aifiko32.exeC:\Windows\system32\Aifiko32.exe76⤵PID:828
-
C:\Windows\SysWOW64\Ahiigkqd.exeC:\Windows\system32\Ahiigkqd.exe77⤵PID:2384
-
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe78⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Appahiag.exeC:\Windows\system32\Appahiag.exe79⤵PID:1028
-
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe80⤵PID:968
-
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe81⤵PID:1160
-
C:\Windows\SysWOW64\Aemjpp32.exeC:\Windows\system32\Aemjpp32.exe82⤵PID:2516
-
C:\Windows\SysWOW64\Ahkflk32.exeC:\Windows\system32\Ahkflk32.exe83⤵PID:3752
-
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe84⤵PID:3036
-
C:\Windows\SysWOW64\Apbnnh32.exeC:\Windows\system32\Apbnnh32.exe85⤵PID:4484
-
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe86⤵PID:4684
-
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe87⤵PID:3360
-
C:\Windows\SysWOW64\Aeoffo32.exeC:\Windows\system32\Aeoffo32.exe88⤵PID:3600
-
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe89⤵PID:4004
-
C:\Windows\SysWOW64\Ahncbk32.exeC:\Windows\system32\Ahncbk32.exe90⤵PID:1836
-
C:\Windows\SysWOW64\Apekch32.exeC:\Windows\system32\Apekch32.exe91⤵PID:2092
-
C:\Windows\SysWOW64\Aogkoedl.exeC:\Windows\system32\Aogkoedl.exe92⤵PID:5164
-
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe93⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Aafgkpcp.exeC:\Windows\system32\Aafgkpcp.exe94⤵PID:5252
-
C:\Windows\SysWOW64\Aimoln32.exeC:\Windows\system32\Aimoln32.exe95⤵PID:5296
-
C:\Windows\SysWOW64\Ahppgjjl.exeC:\Windows\system32\Ahppgjjl.exe96⤵PID:5336
-
C:\Windows\SysWOW64\Apggihko.exeC:\Windows\system32\Apggihko.exe97⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe98⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe100⤵PID:5528
-
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe101⤵PID:5572
-
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe102⤵PID:5616
-
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe103⤵PID:5660
-
C:\Windows\SysWOW64\Blpechop.exeC:\Windows\system32\Blpechop.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5748 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe106⤵PID:5796
-
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe107⤵PID:5840
-
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe108⤵PID:5884
-
C:\Windows\SysWOW64\Bidemmnj.exeC:\Windows\system32\Bidemmnj.exe109⤵PID:5928
-
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe110⤵PID:5972
-
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe111⤵
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Boanecla.exeC:\Windows\system32\Boanecla.exe112⤵PID:6060
-
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe113⤵PID:6100
-
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe115⤵PID:5200
-
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe116⤵PID:5260
-
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Bbofkbbh.exeC:\Windows\system32\Bbofkbbh.exe118⤵PID:5404
-
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe119⤵PID:5456
-
C:\Windows\SysWOW64\Biiohl32.exeC:\Windows\system32\Biiohl32.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe121⤵PID:5480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-