Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe
-
Size
398KB
-
MD5
515b238fbf4c73d8f9b465b2fb2993b0
-
SHA1
2bf5d411d8c4b452408cefb3210035829f317cb1
-
SHA256
493908f01570858090e836310ad185d10e95d8030cf429cec38b25878efdab26
-
SHA512
d527bf5362ee28d7b0b269224afa5f742388eec5f32d6def12ef48cd1bc1c1a45d85858dfa9fe660dd2d14533f00455e7b2a0781e83d8a8deec01b75ebf083bf
-
SSDEEP
12288:qdOR8G6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:vuG6t3XGpvr4B9f01ZmQvrimipWf0Aq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjcplpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjifhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apomfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblhgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhlifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cphlljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbfhfaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iipgcaob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pklhlael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmneda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenobfak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egllae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbkjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbalifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpfhcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipgbjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fckjalhj.exe -
Executes dropped EXE 64 IoCs
pid Process 2464 Ndgggf32.exe 2568 Nnplpl32.exe 1444 Ndjdlffl.exe 2812 Ndjdlffl.exe 2484 Nqqdag32.exe 2444 Ngkmnacm.exe 2124 Nhlifi32.exe 2632 Nmjblg32.exe 348 Nohnhc32.exe 2084 Nccjhafn.exe 1844 Ohqbqhde.exe 1020 Okoomd32.exe 1212 Oicpfh32.exe 2804 Oomhcbjp.exe 2204 Obkdonic.exe 324 Okchhc32.exe 1408 Obnqem32.exe 572 Ocomlemo.exe 2172 Ojieip32.exe 2244 Omgaek32.exe 684 Oenifh32.exe 1292 Ojkboo32.exe 1568 Paejki32.exe 1048 Pccfge32.exe 1752 Pfbccp32.exe 3068 Paggai32.exe 2520 Pbiciana.exe 2192 Pjpkjond.exe 2524 Piblek32.exe 2116 Pbkpna32.exe 2396 Peiljl32.exe 2580 Plcdgfbo.exe 2772 Ppoqge32.exe 1240 Pelipl32.exe 2292 Pndniaop.exe 764 Penfelgm.exe 1552 Qbbfopeg.exe 1320 Qeqbkkej.exe 1192 Qhooggdn.exe 724 Qnigda32.exe 1460 Qecoqk32.exe 3044 Ahakmf32.exe 1512 Afdlhchf.exe 2856 Ajphib32.exe 1896 Amndem32.exe 2976 Aplpai32.exe 2820 Ahchbf32.exe 1528 Affhncfc.exe 2380 Aiedjneg.exe 2508 Aalmklfi.exe 2608 Apomfh32.exe 2424 Abmibdlh.exe 2324 Afiecb32.exe 2036 Ajdadamj.exe 2280 Alenki32.exe 2260 Apajlhka.exe 2912 Abpfhcje.exe 2400 Aenbdoii.exe 2780 Aiinen32.exe 2716 Apcfahio.exe 2348 Abbbnchb.exe 3024 Afmonbqk.exe 344 Aepojo32.exe 1228 Ahokfj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 2464 Ndgggf32.exe 2464 Ndgggf32.exe 2568 Nnplpl32.exe 2568 Nnplpl32.exe 1444 Ndjdlffl.exe 1444 Ndjdlffl.exe 2812 Ndjdlffl.exe 2812 Ndjdlffl.exe 2484 Nqqdag32.exe 2484 Nqqdag32.exe 2444 Ngkmnacm.exe 2444 Ngkmnacm.exe 2124 Nhlifi32.exe 2124 Nhlifi32.exe 2632 Nmjblg32.exe 2632 Nmjblg32.exe 348 Nohnhc32.exe 348 Nohnhc32.exe 2084 Nccjhafn.exe 2084 Nccjhafn.exe 1844 Ohqbqhde.exe 1844 Ohqbqhde.exe 1020 Okoomd32.exe 1020 Okoomd32.exe 1212 Oicpfh32.exe 1212 Oicpfh32.exe 2804 Oomhcbjp.exe 2804 Oomhcbjp.exe 2204 Obkdonic.exe 2204 Obkdonic.exe 324 Okchhc32.exe 324 Okchhc32.exe 1408 Obnqem32.exe 1408 Obnqem32.exe 572 Ocomlemo.exe 572 Ocomlemo.exe 2172 Ojieip32.exe 2172 Ojieip32.exe 2244 Omgaek32.exe 2244 Omgaek32.exe 684 Oenifh32.exe 684 Oenifh32.exe 1292 Ojkboo32.exe 1292 Ojkboo32.exe 1568 Paejki32.exe 1568 Paejki32.exe 1048 Pccfge32.exe 1048 Pccfge32.exe 1752 Pfbccp32.exe 1752 Pfbccp32.exe 3068 Paggai32.exe 3068 Paggai32.exe 2520 Pbiciana.exe 2520 Pbiciana.exe 2192 Pjpkjond.exe 2192 Pjpkjond.exe 2524 Piblek32.exe 2524 Piblek32.exe 2116 Pbkpna32.exe 2116 Pbkpna32.exe 2396 Peiljl32.exe 2396 Peiljl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Goddhg32.exe Gkihhhnm.exe File created C:\Windows\SysWOW64\Kfimidmd.dll Kfgdhjmk.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Fekpnn32.exe Ffhpbacb.exe File created C:\Windows\SysWOW64\Eajaoq32.exe Enkece32.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Dqlafm32.exe File created C:\Windows\SysWOW64\Ihgainbg.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Dmljjm32.dll Ccfhhffh.exe File created C:\Windows\SysWOW64\Aefbii32.dll Lkncmmle.exe File created C:\Windows\SysWOW64\Mlibjc32.exe Mmfbogcn.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pbhmnkjf.exe File created C:\Windows\SysWOW64\Phmkjbfe.dll Nmbknddp.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dgfjbgmh.exe File created C:\Windows\SysWOW64\Idfbkq32.exe Ifcbodli.exe File opened for modification C:\Windows\SysWOW64\Mmceigep.exe Mihiih32.exe File created C:\Windows\SysWOW64\Khdlmj32.dll Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Llcefjgf.exe Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Amndem32.exe Ajphib32.exe File opened for modification C:\Windows\SysWOW64\Aoepcn32.exe Afohaa32.exe File created C:\Windows\SysWOW64\Pbefefec.dll Kilfcpqm.exe File created C:\Windows\SysWOW64\Cjndop32.exe Cgpgce32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Fpdhklkl.exe Faagpp32.exe File created C:\Windows\SysWOW64\Jjpdcc32.dll Joplbl32.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lliflp32.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nejiih32.exe File created C:\Windows\SysWOW64\Ebpopmpp.dll Fnkjhb32.exe File created C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File created C:\Windows\SysWOW64\Cohigamf.exe Cklmgb32.exe File created C:\Windows\SysWOW64\Bdlblj32.exe Bpafkknm.exe File created C:\Windows\SysWOW64\Dgaqgh32.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Jnmgmhmc.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Iipgcaob.exe Icfofg32.exe File created C:\Windows\SysWOW64\Lcfqkl32.exe Lpjdjmfp.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Hcnpbi32.exe Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nondgn32.exe File created C:\Windows\SysWOW64\Fddcahee.dll Ogblbo32.exe File created C:\Windows\SysWOW64\Faigdn32.exe Fnkjhb32.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nlekia32.exe File created C:\Windows\SysWOW64\Chcqpmep.exe Cjpqdp32.exe File created C:\Windows\SysWOW64\Lfmnmlid.dll Cgcmlcja.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Hanlnp32.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Hacmcfge.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Emieil32.exe Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Heglio32.exe File opened for modification C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mffimglk.exe File created C:\Windows\SysWOW64\Coelaaoi.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File opened for modification C:\Windows\SysWOW64\Fckjalhj.exe Ealnephf.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File created C:\Windows\SysWOW64\Kafbec32.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Ahdaee32.exe Afcenm32.exe File created C:\Windows\SysWOW64\Mfcngp32.dll 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Jfojbj32.dll Igkdgk32.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kcbakpdo.exe File opened for modification C:\Windows\SysWOW64\Llfifq32.exe Lmcijcbe.exe File created C:\Windows\SysWOW64\Ckchjmoo.dll Lpbefoai.exe -
Program crash 1 IoCs
pid pid_target Process 6904 8676 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fcjcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbjdmj.dll" Ikhjki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npdjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leajegob.dll" Bopicc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll" Nmnace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Joifam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ileiplhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" Kgcpjmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kicmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll" Libicbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plcdgfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpmapm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikhjki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" Naimccpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikjha32.dll" Anafhopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfnnha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll" Ndjfeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nccjhafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damgbk32.dll" Ndjdlffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Comimg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehkodcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcipd32.dll" Kjifhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhekfh32.dll" Aiedjneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aemkjiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hahjpbad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpphap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgphd32.dll" Fpcqaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icmegf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afmonbqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgfqaiod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2464 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 2464 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 2464 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 2464 2088 515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe 28 PID 2464 wrote to memory of 2568 2464 Ndgggf32.exe 29 PID 2464 wrote to memory of 2568 2464 Ndgggf32.exe 29 PID 2464 wrote to memory of 2568 2464 Ndgggf32.exe 29 PID 2464 wrote to memory of 2568 2464 Ndgggf32.exe 29 PID 2568 wrote to memory of 1444 2568 Nnplpl32.exe 30 PID 2568 wrote to memory of 1444 2568 Nnplpl32.exe 30 PID 2568 wrote to memory of 1444 2568 Nnplpl32.exe 30 PID 2568 wrote to memory of 1444 2568 Nnplpl32.exe 30 PID 1444 wrote to memory of 2812 1444 Ndjdlffl.exe 31 PID 1444 wrote to memory of 2812 1444 Ndjdlffl.exe 31 PID 1444 wrote to memory of 2812 1444 Ndjdlffl.exe 31 PID 1444 wrote to memory of 2812 1444 Ndjdlffl.exe 31 PID 2812 wrote to memory of 2484 2812 Ndjdlffl.exe 32 PID 2812 wrote to memory of 2484 2812 Ndjdlffl.exe 32 PID 2812 wrote to memory of 2484 2812 Ndjdlffl.exe 32 PID 2812 wrote to memory of 2484 2812 Ndjdlffl.exe 32 PID 2484 wrote to memory of 2444 2484 Nqqdag32.exe 33 PID 2484 wrote to memory of 2444 2484 Nqqdag32.exe 33 PID 2484 wrote to memory of 2444 2484 Nqqdag32.exe 33 PID 2484 wrote to memory of 2444 2484 Nqqdag32.exe 33 PID 2444 wrote to memory of 2124 2444 Ngkmnacm.exe 34 PID 2444 wrote to memory of 2124 2444 Ngkmnacm.exe 34 PID 2444 wrote to memory of 2124 2444 Ngkmnacm.exe 34 PID 2444 wrote to memory of 2124 2444 Ngkmnacm.exe 34 PID 2124 wrote to memory of 2632 2124 Nhlifi32.exe 35 PID 2124 wrote to memory of 2632 2124 Nhlifi32.exe 35 PID 2124 wrote to memory of 2632 2124 Nhlifi32.exe 35 PID 2124 wrote to memory of 2632 2124 Nhlifi32.exe 35 PID 2632 wrote to memory of 348 2632 Nmjblg32.exe 36 PID 2632 wrote to memory of 348 2632 Nmjblg32.exe 36 PID 2632 wrote to memory of 348 2632 Nmjblg32.exe 36 PID 2632 wrote to memory of 348 2632 Nmjblg32.exe 36 PID 348 wrote to memory of 2084 348 Nohnhc32.exe 37 PID 348 wrote to memory of 2084 348 Nohnhc32.exe 37 PID 348 wrote to memory of 2084 348 Nohnhc32.exe 37 PID 348 wrote to memory of 2084 348 Nohnhc32.exe 37 PID 2084 wrote to memory of 1844 2084 Nccjhafn.exe 38 PID 2084 wrote to memory of 1844 2084 Nccjhafn.exe 38 PID 2084 wrote to memory of 1844 2084 Nccjhafn.exe 38 PID 2084 wrote to memory of 1844 2084 Nccjhafn.exe 38 PID 1844 wrote to memory of 1020 1844 Ohqbqhde.exe 39 PID 1844 wrote to memory of 1020 1844 Ohqbqhde.exe 39 PID 1844 wrote to memory of 1020 1844 Ohqbqhde.exe 39 PID 1844 wrote to memory of 1020 1844 Ohqbqhde.exe 39 PID 1020 wrote to memory of 1212 1020 Okoomd32.exe 40 PID 1020 wrote to memory of 1212 1020 Okoomd32.exe 40 PID 1020 wrote to memory of 1212 1020 Okoomd32.exe 40 PID 1020 wrote to memory of 1212 1020 Okoomd32.exe 40 PID 1212 wrote to memory of 2804 1212 Oicpfh32.exe 41 PID 1212 wrote to memory of 2804 1212 Oicpfh32.exe 41 PID 1212 wrote to memory of 2804 1212 Oicpfh32.exe 41 PID 1212 wrote to memory of 2804 1212 Oicpfh32.exe 41 PID 2804 wrote to memory of 2204 2804 Oomhcbjp.exe 42 PID 2804 wrote to memory of 2204 2804 Oomhcbjp.exe 42 PID 2804 wrote to memory of 2204 2804 Oomhcbjp.exe 42 PID 2804 wrote to memory of 2204 2804 Oomhcbjp.exe 42 PID 2204 wrote to memory of 324 2204 Obkdonic.exe 43 PID 2204 wrote to memory of 324 2204 Obkdonic.exe 43 PID 2204 wrote to memory of 324 2204 Obkdonic.exe 43 PID 2204 wrote to memory of 324 2204 Obkdonic.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\515b238fbf4c73d8f9b465b2fb2993b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe35⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe36⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe37⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe38⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe40⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe41⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe42⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe44⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe46⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe48⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe53⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe54⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe55⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe56⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe57⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe59⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe60⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe61⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe62⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe64⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe65⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe66⤵PID:2792
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe67⤵PID:2836
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe68⤵PID:1524
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe69⤵PID:2596
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe70⤵PID:1928
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe71⤵PID:296
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe72⤵PID:2704
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe74⤵PID:2476
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe75⤵PID:2540
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe76⤵PID:1984
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe77⤵PID:908
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe79⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe80⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe81⤵PID:2040
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe82⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe84⤵PID:2188
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe85⤵PID:1492
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe86⤵PID:2216
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe87⤵PID:2032
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe88⤵PID:1008
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe91⤵PID:1028
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe92⤵PID:2360
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe93⤵PID:1252
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe94⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe95⤵PID:760
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe97⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe98⤵PID:2668
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe99⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe100⤵PID:1744
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe101⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe102⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe103⤵PID:1904
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe104⤵PID:1688
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe105⤵PID:2284
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe106⤵PID:1964
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe107⤵PID:2352
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe108⤵PID:2560
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe109⤵PID:2416
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe111⤵PID:320
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe112⤵PID:688
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe113⤵PID:2728
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe114⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe116⤵
- Modifies registry class
PID:608 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe117⤵PID:1624
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe118⤵PID:1344
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe119⤵PID:768
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe120⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe121⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-