Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 09:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe
-
Size
435KB
-
MD5
3e0b4acf6c96177e48509ccd99a79980
-
SHA1
a9e9284c0ca2fce441b5c0b58b1975dfa128cc73
-
SHA256
3317e6851ee4b3ea33d7ee91a9e162e64805f7a1852354e5e04a8621d556cfec
-
SHA512
30ce9c413bd9e97e4432d24f6cc0bcc7430945e5489a17f7499291ce01ea612fbd1e172c2b11bb5f1ed5641cc972653d68060cf211841f46d012c58d366a97ec
-
SSDEEP
6144:Fz5pPCywbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:FlpobWGRdA6sQhPbWGRdA6sQvjpxN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikaio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkiefp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnbaojm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbonmll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paejki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbmjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkiijf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhamckel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plijimee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agljom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idiaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qglmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfonkfqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2284 Ldqegd32.exe 2912 Lpgele32.exe 2752 Llnfaffc.exe 1800 Lefkjkmc.exe 2460 Mgfgdn32.exe 2492 Moalhq32.exe 2840 Mhjpaf32.exe 1680 Mdqafgnf.exe 1936 Mhlmgf32.exe 2100 Mkmfhacp.exe 812 Mhqfbebj.exe 1676 Nplkfgoe.exe 628 Nnplpl32.exe 2928 Nghphaeo.exe 2896 Ncoamb32.exe 536 Nqcagfim.exe 1504 Nmjblg32.exe 2688 Nohnhc32.exe 412 Odegpj32.exe 3028 Ohqbqhde.exe 1780 Onmkio32.exe 764 Odgcfijj.exe 880 Ogfpbeim.exe 2240 Onphoo32.exe 2956 Oghlgdgk.exe 2204 Onbddoog.exe 2604 Ocomlemo.exe 2660 Okfencna.exe 2740 Oqcnfjli.exe 2676 Ocajbekl.exe 2472 Ofpfnqjp.exe 2588 Paejki32.exe 1536 Pjmodopf.exe 2476 Paggai32.exe 2324 Pfdpip32.exe 2308 Piblek32.exe 1928 Pbkpna32.exe 1340 Peiljl32.exe 844 Pmqdkj32.exe 848 Pbmmcq32.exe 2812 Pfiidobe.exe 1924 Ppamme32.exe 1484 Pndniaop.exe 1788 Pijbfj32.exe 1140 Qhmbagfa.exe 1552 Qnfjna32.exe 2216 Qaefjm32.exe 704 Qdccfh32.exe 1696 Qljkhe32.exe 2852 Qnigda32.exe 2508 Qecoqk32.exe 2640 Ahakmf32.exe 2704 Ankdiqih.exe 2692 Aajpelhl.exe 2536 Ahchbf32.exe 1992 Ajbdna32.exe 1052 Ampqjm32.exe 2388 Adjigg32.exe 1820 Afiecb32.exe 1828 Ambmpmln.exe 1748 Alenki32.exe 2012 Afkbib32.exe 384 Aenbdoii.exe 1060 Alhjai32.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 2284 Ldqegd32.exe 2284 Ldqegd32.exe 2912 Lpgele32.exe 2912 Lpgele32.exe 2752 Llnfaffc.exe 2752 Llnfaffc.exe 1800 Lefkjkmc.exe 1800 Lefkjkmc.exe 2460 Mgfgdn32.exe 2460 Mgfgdn32.exe 2492 Moalhq32.exe 2492 Moalhq32.exe 2840 Mhjpaf32.exe 2840 Mhjpaf32.exe 1680 Mdqafgnf.exe 1680 Mdqafgnf.exe 1936 Mhlmgf32.exe 1936 Mhlmgf32.exe 2100 Mkmfhacp.exe 2100 Mkmfhacp.exe 812 Mhqfbebj.exe 812 Mhqfbebj.exe 1676 Nplkfgoe.exe 1676 Nplkfgoe.exe 628 Nnplpl32.exe 628 Nnplpl32.exe 2928 Nghphaeo.exe 2928 Nghphaeo.exe 2896 Ncoamb32.exe 2896 Ncoamb32.exe 536 Nqcagfim.exe 536 Nqcagfim.exe 1504 Nmjblg32.exe 1504 Nmjblg32.exe 2688 Nohnhc32.exe 2688 Nohnhc32.exe 412 Odegpj32.exe 412 Odegpj32.exe 3028 Ohqbqhde.exe 3028 Ohqbqhde.exe 1780 Onmkio32.exe 1780 Onmkio32.exe 764 Odgcfijj.exe 764 Odgcfijj.exe 880 Ogfpbeim.exe 880 Ogfpbeim.exe 2240 Onphoo32.exe 2240 Onphoo32.exe 2956 Oghlgdgk.exe 2956 Oghlgdgk.exe 2204 Onbddoog.exe 2204 Onbddoog.exe 2604 Ocomlemo.exe 2604 Ocomlemo.exe 2660 Okfencna.exe 2660 Okfencna.exe 2740 Oqcnfjli.exe 2740 Oqcnfjli.exe 2676 Ocajbekl.exe 2676 Ocajbekl.exe 2472 Ofpfnqjp.exe 2472 Ofpfnqjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nmabjfek.exe Process not Found File created C:\Windows\SysWOW64\Emfbll32.dll Ldqegd32.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bpfcgg32.exe File created C:\Windows\SysWOW64\Emcbkn32.exe Dcknbh32.exe File created C:\Windows\SysWOW64\Jcjbelmp.dll Kmgbdo32.exe File created C:\Windows\SysWOW64\Makjho32.exe Ljabkeaf.exe File created C:\Windows\SysWOW64\Mdogedmh.exe Process not Found File created C:\Windows\SysWOW64\Bqdgkecq.dll Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Anljck32.exe Process not Found File created C:\Windows\SysWOW64\Fplllkdc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jdflqo32.exe Process not Found File created C:\Windows\SysWOW64\Jddnncch.dll Meccii32.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Anojbobe.exe File created C:\Windows\SysWOW64\Jgnakn32.dll Cckdlnjg.exe File opened for modification C:\Windows\SysWOW64\Abfnpg32.exe Qogbdl32.exe File opened for modification C:\Windows\SysWOW64\Endjaief.exe Ekfndmfb.exe File opened for modification C:\Windows\SysWOW64\Eoblnd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfdhmk32.exe Process not Found File created C:\Windows\SysWOW64\Lifcib32.exe Process not Found File created C:\Windows\SysWOW64\Mdhbbiki.dll Alenki32.exe File created C:\Windows\SysWOW64\Bepejfpc.dll Jglgpdcc.exe File created C:\Windows\SysWOW64\Ljfapjbi.exe Process not Found File created C:\Windows\SysWOW64\Kpdcfoph.exe Process not Found File created C:\Windows\SysWOW64\Gefmcp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oioipf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Peiljl32.exe Pbkpna32.exe File created C:\Windows\SysWOW64\Gbnccfpb.exe Gldkfl32.exe File created C:\Windows\SysWOW64\Hogmmjfo.exe Hjjddchg.exe File created C:\Windows\SysWOW64\Elipgofb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Opihgfop.exe Process not Found File created C:\Windows\SysWOW64\Lmmnpb32.dll Process not Found File created C:\Windows\SysWOW64\Mibnje32.dll Process not Found File created C:\Windows\SysWOW64\Fmaeho32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocomlemo.exe Onbddoog.exe File created C:\Windows\SysWOW64\Faonom32.exe Process not Found File created C:\Windows\SysWOW64\Pdfdcg32.dll Blmdlhmp.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Peipigfb.dll Dllhhaep.exe File created C:\Windows\SysWOW64\Coikpclh.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Ahmefdcp.exe Process not Found File created C:\Windows\SysWOW64\Bdhhqk32.exe Baildokg.exe File created C:\Windows\SysWOW64\Hggomh32.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Hbhomd32.exe Homclekn.exe File created C:\Windows\SysWOW64\Eipbga32.dll Bmbemb32.exe File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cidddj32.exe Process not Found File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Fepiimfg.exe Fbamma32.exe File opened for modification C:\Windows\SysWOW64\Kqiaclhj.exe Kjoifb32.exe File created C:\Windows\SysWOW64\Liolokfg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jialfgcc.exe Process not Found File created C:\Windows\SysWOW64\Hcjdjiqp.dll Process not Found File created C:\Windows\SysWOW64\Gbhbdi32.exe Process not Found File created C:\Windows\SysWOW64\Omckoi32.exe Process not Found File created C:\Windows\SysWOW64\Coeidfmm.dll 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Kcbakpdo.exe Kaceodek.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fepiimfg.exe File created C:\Windows\SysWOW64\Eignpade.dll Biafnecn.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File created C:\Windows\SysWOW64\Efcaci32.dll Mapccndn.exe File created C:\Windows\SysWOW64\Khcmap32.dll Lijjoe32.exe File created C:\Windows\SysWOW64\Cadjgf32.exe Clgbno32.exe File created C:\Windows\SysWOW64\Hdhkdkaa.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7924 8344 Process not Found 1889 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlddkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfifeml.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpimg32.dll" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnih32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll" Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkidapal.dll" Nadimacd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihmcioe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nofdklgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbnkigh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhkjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlpneh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alacdcjm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbmfkkbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phccmbca.dll" Amhpnkch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpelbgel.dll" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjijqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kmgbdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpnaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll" Jkjfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagigd32.dll" Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll" Chhjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npccpo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2284 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2284 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2284 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2284 2268 3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe 28 PID 2284 wrote to memory of 2912 2284 Ldqegd32.exe 29 PID 2284 wrote to memory of 2912 2284 Ldqegd32.exe 29 PID 2284 wrote to memory of 2912 2284 Ldqegd32.exe 29 PID 2284 wrote to memory of 2912 2284 Ldqegd32.exe 29 PID 2912 wrote to memory of 2752 2912 Lpgele32.exe 30 PID 2912 wrote to memory of 2752 2912 Lpgele32.exe 30 PID 2912 wrote to memory of 2752 2912 Lpgele32.exe 30 PID 2912 wrote to memory of 2752 2912 Lpgele32.exe 30 PID 2752 wrote to memory of 1800 2752 Llnfaffc.exe 31 PID 2752 wrote to memory of 1800 2752 Llnfaffc.exe 31 PID 2752 wrote to memory of 1800 2752 Llnfaffc.exe 31 PID 2752 wrote to memory of 1800 2752 Llnfaffc.exe 31 PID 1800 wrote to memory of 2460 1800 Lefkjkmc.exe 32 PID 1800 wrote to memory of 2460 1800 Lefkjkmc.exe 32 PID 1800 wrote to memory of 2460 1800 Lefkjkmc.exe 32 PID 1800 wrote to memory of 2460 1800 Lefkjkmc.exe 32 PID 2460 wrote to memory of 2492 2460 Mgfgdn32.exe 33 PID 2460 wrote to memory of 2492 2460 Mgfgdn32.exe 33 PID 2460 wrote to memory of 2492 2460 Mgfgdn32.exe 33 PID 2460 wrote to memory of 2492 2460 Mgfgdn32.exe 33 PID 2492 wrote to memory of 2840 2492 Moalhq32.exe 34 PID 2492 wrote to memory of 2840 2492 Moalhq32.exe 34 PID 2492 wrote to memory of 2840 2492 Moalhq32.exe 34 PID 2492 wrote to memory of 2840 2492 Moalhq32.exe 34 PID 2840 wrote to memory of 1680 2840 Mhjpaf32.exe 35 PID 2840 wrote to memory of 1680 2840 Mhjpaf32.exe 35 PID 2840 wrote to memory of 1680 2840 Mhjpaf32.exe 35 PID 2840 wrote to memory of 1680 2840 Mhjpaf32.exe 35 PID 1680 wrote to memory of 1936 1680 Mdqafgnf.exe 36 PID 1680 wrote to memory of 1936 1680 Mdqafgnf.exe 36 PID 1680 wrote to memory of 1936 1680 Mdqafgnf.exe 36 PID 1680 wrote to memory of 1936 1680 Mdqafgnf.exe 36 PID 1936 wrote to memory of 2100 1936 Mhlmgf32.exe 37 PID 1936 wrote to memory of 2100 1936 Mhlmgf32.exe 37 PID 1936 wrote to memory of 2100 1936 Mhlmgf32.exe 37 PID 1936 wrote to memory of 2100 1936 Mhlmgf32.exe 37 PID 2100 wrote to memory of 812 2100 Mkmfhacp.exe 38 PID 2100 wrote to memory of 812 2100 Mkmfhacp.exe 38 PID 2100 wrote to memory of 812 2100 Mkmfhacp.exe 38 PID 2100 wrote to memory of 812 2100 Mkmfhacp.exe 38 PID 812 wrote to memory of 1676 812 Mhqfbebj.exe 39 PID 812 wrote to memory of 1676 812 Mhqfbebj.exe 39 PID 812 wrote to memory of 1676 812 Mhqfbebj.exe 39 PID 812 wrote to memory of 1676 812 Mhqfbebj.exe 39 PID 1676 wrote to memory of 628 1676 Nplkfgoe.exe 40 PID 1676 wrote to memory of 628 1676 Nplkfgoe.exe 40 PID 1676 wrote to memory of 628 1676 Nplkfgoe.exe 40 PID 1676 wrote to memory of 628 1676 Nplkfgoe.exe 40 PID 628 wrote to memory of 2928 628 Nnplpl32.exe 41 PID 628 wrote to memory of 2928 628 Nnplpl32.exe 41 PID 628 wrote to memory of 2928 628 Nnplpl32.exe 41 PID 628 wrote to memory of 2928 628 Nnplpl32.exe 41 PID 2928 wrote to memory of 2896 2928 Nghphaeo.exe 42 PID 2928 wrote to memory of 2896 2928 Nghphaeo.exe 42 PID 2928 wrote to memory of 2896 2928 Nghphaeo.exe 42 PID 2928 wrote to memory of 2896 2928 Nghphaeo.exe 42 PID 2896 wrote to memory of 536 2896 Ncoamb32.exe 43 PID 2896 wrote to memory of 536 2896 Ncoamb32.exe 43 PID 2896 wrote to memory of 536 2896 Ncoamb32.exe 43 PID 2896 wrote to memory of 536 2896 Ncoamb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e0b4acf6c96177e48509ccd99a79980_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe34⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe36⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe37⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe39⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe41⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe42⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe43⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe44⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe45⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe47⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe48⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe49⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe51⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe52⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe54⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe55⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe56⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe57⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe58⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe59⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe60⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe61⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe63⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe64⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe65⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe66⤵PID:1548
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe67⤵PID:3020
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe69⤵PID:2080
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe70⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe71⤵PID:2892
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe72⤵PID:2544
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe73⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe74⤵PID:2468
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe75⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe76⤵PID:1704
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe77⤵PID:1816
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe78⤵PID:1048
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe80⤵PID:2076
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe81⤵PID:664
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe82⤵PID:2380
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe83⤵PID:1348
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe84⤵PID:1344
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe85⤵PID:1592
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe86⤵PID:2888
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe87⤵PID:1620
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe88⤵PID:2580
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe89⤵PID:2108
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe91⤵PID:2368
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe92⤵PID:1860
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe93⤵PID:1336
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe94⤵PID:2748
-
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe95⤵PID:2932
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe96⤵PID:2964
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe98⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe99⤵PID:2116
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe101⤵PID:1608
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe102⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe103⤵PID:2444
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe104⤵PID:1632
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe105⤵PID:1568
-
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe106⤵PID:772
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe107⤵PID:1984
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe108⤵PID:1988
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe109⤵PID:2920
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe111⤵PID:1364
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe112⤵PID:2168
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe113⤵PID:1668
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe114⤵PID:2680
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe115⤵PID:2412
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe116⤵PID:2648
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe117⤵PID:2192
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe118⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe119⤵PID:768
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe120⤵PID:2668
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe121⤵PID:988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-