Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe
-
Size
64KB
-
MD5
b3b0809bfe28a62dd5b8fe6b1242df00
-
SHA1
600ff9925f183a077800891f360044a589f311ec
-
SHA256
0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced
-
SHA512
24934e262cf178c7b058f69da5b762cac87d0a7ce78438ea068890e3584525a14299cb6a09da2bb02845d14c9682fbb74a6e4a42932743317a2d09160b082512
-
SSDEEP
1536:eLaI7ddX76zP05+dHZJlLBsLnVLdGUHyNwi:euI7ddLf5+d5JlLBsLnVUUHyNwi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnqkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaijdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inngcfid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neplhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahakmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnndlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcfkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfmfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeaedd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkhpkoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnffgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nekbmgcn.exe -
Executes dropped EXE 64 IoCs
pid Process 1760 Njdpomfe.exe 2188 Ncmdhb32.exe 2736 Nfkpdn32.exe 2008 Nleiqhcg.exe 2808 Ncoamb32.exe 2508 Nfmmin32.exe 2184 Nlgefh32.exe 2848 Nofabc32.exe 2868 Nbdnoo32.exe 328 Nmjblg32.exe 1828 Nohnhc32.exe 2788 Ofbfdmeb.exe 3044 Ohqbqhde.exe 2300 Okoomd32.exe 2816 Onmkio32.exe 2952 Ofdcjm32.exe 596 Oicpfh32.exe 1104 Okalbc32.exe 3004 Onphoo32.exe 1868 Odjpkihg.exe 2120 Oiellh32.exe 1544 Ojficpfn.exe 956 Obnqem32.exe 1256 Oelmai32.exe 984 Ogjimd32.exe 2232 Okfencna.exe 1716 Omgaek32.exe 1300 Ocajbekl.exe 2744 Ofpfnqjp.exe 2728 Paejki32.exe 2776 Pccfge32.exe 2492 Pjmodopf.exe 2568 Pmlkpjpj.exe 2000 Pmlkpjpj.exe 2836 Pbiciana.exe 1528 Pmnhfjmg.exe 800 Ppmdbe32.exe 1508 Ppmdbe32.exe 2468 Pchpbded.exe 2592 Plcdgfbo.exe 1432 Pnbacbac.exe 2156 Pbmmcq32.exe 1920 Pelipl32.exe 916 Phjelg32.exe 308 Ppamme32.exe 3008 Pndniaop.exe 844 Pabjem32.exe 1980 Penfelgm.exe 1872 Qhmbagfa.exe 960 Qjknnbed.exe 896 Qaefjm32.exe 1596 Qaefjm32.exe 2916 Qdccfh32.exe 2644 Qhooggdn.exe 2936 Qnigda32.exe 2520 Qmlgonbe.exe 2656 Qagcpljo.exe 1852 Adeplhib.exe 2800 Ahakmf32.exe 2880 Ankdiqih.exe 1000 Amndem32.exe 1448 Aplpai32.exe 796 Ahchbf32.exe 1368 Ajbdna32.exe -
Loads dropped DLL 64 IoCs
pid Process 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 1760 Njdpomfe.exe 1760 Njdpomfe.exe 2188 Ncmdhb32.exe 2188 Ncmdhb32.exe 2736 Nfkpdn32.exe 2736 Nfkpdn32.exe 2008 Nleiqhcg.exe 2008 Nleiqhcg.exe 2808 Ncoamb32.exe 2808 Ncoamb32.exe 2508 Nfmmin32.exe 2508 Nfmmin32.exe 2184 Nlgefh32.exe 2184 Nlgefh32.exe 2848 Nofabc32.exe 2848 Nofabc32.exe 2868 Nbdnoo32.exe 2868 Nbdnoo32.exe 328 Nmjblg32.exe 328 Nmjblg32.exe 1828 Nohnhc32.exe 1828 Nohnhc32.exe 2788 Ofbfdmeb.exe 2788 Ofbfdmeb.exe 3044 Ohqbqhde.exe 3044 Ohqbqhde.exe 2300 Okoomd32.exe 2300 Okoomd32.exe 2816 Onmkio32.exe 2816 Onmkio32.exe 2952 Ofdcjm32.exe 2952 Ofdcjm32.exe 596 Oicpfh32.exe 596 Oicpfh32.exe 1104 Okalbc32.exe 1104 Okalbc32.exe 3004 Onphoo32.exe 3004 Onphoo32.exe 1868 Odjpkihg.exe 1868 Odjpkihg.exe 2120 Oiellh32.exe 2120 Oiellh32.exe 1544 Ojficpfn.exe 1544 Ojficpfn.exe 956 Obnqem32.exe 956 Obnqem32.exe 1256 Oelmai32.exe 1256 Oelmai32.exe 984 Ogjimd32.exe 984 Ogjimd32.exe 2232 Okfencna.exe 2232 Okfencna.exe 1716 Omgaek32.exe 1716 Omgaek32.exe 1300 Ocajbekl.exe 1300 Ocajbekl.exe 2744 Ofpfnqjp.exe 2744 Ofpfnqjp.exe 2728 Paejki32.exe 2728 Paejki32.exe 2776 Pccfge32.exe 2776 Pccfge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ijdqna32.exe Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Oeeecekc.exe Oaiibg32.exe File created C:\Windows\SysWOW64\Oopfakpa.exe Okdkal32.exe File created C:\Windows\SysWOW64\Nejeco32.dll Cpjiajeb.exe File created C:\Windows\SysWOW64\Hciofb32.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Iqopea32.exe Iblpjdpk.exe File created C:\Windows\SysWOW64\Kmikde32.dll Kfpgmdog.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Pmlkpjpj.exe File opened for modification C:\Windows\SysWOW64\Epfhbign.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Fgpimg32.dll Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Llohjo32.exe Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Aajbne32.exe File created C:\Windows\SysWOW64\Alenki32.exe Aigaon32.exe File created C:\Windows\SysWOW64\Hgmhlp32.dll Dcfdgiid.exe File opened for modification C:\Windows\SysWOW64\Nncahjgl.exe Nkeelohh.exe File created C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Igchlf32.exe Iompkh32.exe File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe Oappcfmb.exe File opened for modification C:\Windows\SysWOW64\Cbdnko32.exe Cdanpb32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Odobjg32.exe File created C:\Windows\SysWOW64\Cakqnc32.dll Fioija32.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll Qbcpbo32.exe File created C:\Windows\SysWOW64\Kncphpjl.dll Dfffnn32.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Igdogl32.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Hbgodfkh.dll Nkeelohh.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File created C:\Windows\SysWOW64\Ihlfca32.dll Kbidgeci.exe File created C:\Windows\SysWOW64\Fgdqfpma.dll Cnippoha.exe File created C:\Windows\SysWOW64\Elbepj32.dll Dnlidb32.exe File created C:\Windows\SysWOW64\Dhggeddb.dll Ffnphf32.exe File created C:\Windows\SysWOW64\Nacehmno.dll Qkhpkoen.exe File opened for modification C:\Windows\SysWOW64\Kkolkk32.exe Kgcpjmcb.exe File created C:\Windows\SysWOW64\Nldodg32.dll Meppiblm.exe File created C:\Windows\SysWOW64\Eekkdc32.dll Ckjpacfp.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Eqgnokip.exe File created C:\Windows\SysWOW64\Hkcdafqb.exe Hhehek32.exe File opened for modification C:\Windows\SysWOW64\Ajejgp32.exe Ahgnke32.exe File created C:\Windows\SysWOW64\Jchafg32.dll Djklnnaj.exe File created C:\Windows\SysWOW64\Nohnhc32.exe Nmjblg32.exe File created C:\Windows\SysWOW64\Kemejc32.exe Kaaijdgn.exe File created C:\Windows\SysWOW64\Mkgfckcj.exe Mgljbm32.exe File created C:\Windows\SysWOW64\Ldnlic32.dll Jjlnif32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lmcijcbe.exe File created C:\Windows\SysWOW64\Gedbdlbb.exe Fmmkcoap.exe File created C:\Windows\SysWOW64\Aaebnq32.dll Lfpclh32.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mbkmlh32.exe File created C:\Windows\SysWOW64\Nlgefh32.exe Nfmmin32.exe File created C:\Windows\SysWOW64\Bagmdc32.dll Abmibdlh.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Fgaleqmc.dll Nialog32.exe File created C:\Windows\SysWOW64\Nlcnda32.exe Niebhf32.exe File opened for modification C:\Windows\SysWOW64\Nigome32.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Aajbne32.exe Amnfnfgg.exe File created C:\Windows\SysWOW64\Apomfh32.exe Aalmklfi.exe File opened for modification C:\Windows\SysWOW64\Kgpjanje.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Kiqpop32.exe Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe Cbgjqo32.exe File created C:\Windows\SysWOW64\Minceo32.dll Lahkigca.exe File created C:\Windows\SysWOW64\Mdmmfa32.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10072 10048 WerFault.exe 999 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lemaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igonafba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Melfncqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddjebgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibijie32.dll" Figlolbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgemplap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doffod32.dll" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkece32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmbbii.dll" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiedkadc.dll" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbepj32.dll" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhccl32.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmhdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eojnkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgoiebg.dll" Plcdgfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gdamqndn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieqeidnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okfgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copfbfjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nglfapnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gedbdlbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjdhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll" Mencccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olonpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdchio32.dll" Mdmmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdafiei.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhokkp32.dll" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghohc32.dll" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1760 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 1760 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 1760 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 1760 1740 0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe 28 PID 1760 wrote to memory of 2188 1760 Njdpomfe.exe 29 PID 1760 wrote to memory of 2188 1760 Njdpomfe.exe 29 PID 1760 wrote to memory of 2188 1760 Njdpomfe.exe 29 PID 1760 wrote to memory of 2188 1760 Njdpomfe.exe 29 PID 2188 wrote to memory of 2736 2188 Ncmdhb32.exe 30 PID 2188 wrote to memory of 2736 2188 Ncmdhb32.exe 30 PID 2188 wrote to memory of 2736 2188 Ncmdhb32.exe 30 PID 2188 wrote to memory of 2736 2188 Ncmdhb32.exe 30 PID 2736 wrote to memory of 2008 2736 Nfkpdn32.exe 31 PID 2736 wrote to memory of 2008 2736 Nfkpdn32.exe 31 PID 2736 wrote to memory of 2008 2736 Nfkpdn32.exe 31 PID 2736 wrote to memory of 2008 2736 Nfkpdn32.exe 31 PID 2008 wrote to memory of 2808 2008 Nleiqhcg.exe 32 PID 2008 wrote to memory of 2808 2008 Nleiqhcg.exe 32 PID 2008 wrote to memory of 2808 2008 Nleiqhcg.exe 32 PID 2008 wrote to memory of 2808 2008 Nleiqhcg.exe 32 PID 2808 wrote to memory of 2508 2808 Ncoamb32.exe 33 PID 2808 wrote to memory of 2508 2808 Ncoamb32.exe 33 PID 2808 wrote to memory of 2508 2808 Ncoamb32.exe 33 PID 2808 wrote to memory of 2508 2808 Ncoamb32.exe 33 PID 2508 wrote to memory of 2184 2508 Nfmmin32.exe 34 PID 2508 wrote to memory of 2184 2508 Nfmmin32.exe 34 PID 2508 wrote to memory of 2184 2508 Nfmmin32.exe 34 PID 2508 wrote to memory of 2184 2508 Nfmmin32.exe 34 PID 2184 wrote to memory of 2848 2184 Nlgefh32.exe 35 PID 2184 wrote to memory of 2848 2184 Nlgefh32.exe 35 PID 2184 wrote to memory of 2848 2184 Nlgefh32.exe 35 PID 2184 wrote to memory of 2848 2184 Nlgefh32.exe 35 PID 2848 wrote to memory of 2868 2848 Nofabc32.exe 36 PID 2848 wrote to memory of 2868 2848 Nofabc32.exe 36 PID 2848 wrote to memory of 2868 2848 Nofabc32.exe 36 PID 2848 wrote to memory of 2868 2848 Nofabc32.exe 36 PID 2868 wrote to memory of 328 2868 Nbdnoo32.exe 37 PID 2868 wrote to memory of 328 2868 Nbdnoo32.exe 37 PID 2868 wrote to memory of 328 2868 Nbdnoo32.exe 37 PID 2868 wrote to memory of 328 2868 Nbdnoo32.exe 37 PID 328 wrote to memory of 1828 328 Nmjblg32.exe 38 PID 328 wrote to memory of 1828 328 Nmjblg32.exe 38 PID 328 wrote to memory of 1828 328 Nmjblg32.exe 38 PID 328 wrote to memory of 1828 328 Nmjblg32.exe 38 PID 1828 wrote to memory of 2788 1828 Nohnhc32.exe 39 PID 1828 wrote to memory of 2788 1828 Nohnhc32.exe 39 PID 1828 wrote to memory of 2788 1828 Nohnhc32.exe 39 PID 1828 wrote to memory of 2788 1828 Nohnhc32.exe 39 PID 2788 wrote to memory of 3044 2788 Ofbfdmeb.exe 40 PID 2788 wrote to memory of 3044 2788 Ofbfdmeb.exe 40 PID 2788 wrote to memory of 3044 2788 Ofbfdmeb.exe 40 PID 2788 wrote to memory of 3044 2788 Ofbfdmeb.exe 40 PID 3044 wrote to memory of 2300 3044 Ohqbqhde.exe 41 PID 3044 wrote to memory of 2300 3044 Ohqbqhde.exe 41 PID 3044 wrote to memory of 2300 3044 Ohqbqhde.exe 41 PID 3044 wrote to memory of 2300 3044 Ohqbqhde.exe 41 PID 2300 wrote to memory of 2816 2300 Okoomd32.exe 42 PID 2300 wrote to memory of 2816 2300 Okoomd32.exe 42 PID 2300 wrote to memory of 2816 2300 Okoomd32.exe 42 PID 2300 wrote to memory of 2816 2300 Okoomd32.exe 42 PID 2816 wrote to memory of 2952 2816 Onmkio32.exe 43 PID 2816 wrote to memory of 2952 2816 Onmkio32.exe 43 PID 2816 wrote to memory of 2952 2816 Onmkio32.exe 43 PID 2816 wrote to memory of 2952 2816 Onmkio32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0363455376138b2d388e1e2ca911dd9d1bf429dcd98a4d8d185bbc35bb846ced_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe33⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe34⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe37⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe38⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe39⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe40⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe42⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe43⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe44⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe45⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe46⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe47⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe48⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe49⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe51⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe53⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe54⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe56⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe58⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe59⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe61⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe62⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe63⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe64⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe65⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe67⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe68⤵PID:740
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe69⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe70⤵PID:1988
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe72⤵PID:1260
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe73⤵PID:576
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe74⤵PID:1976
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe75⤵PID:2116
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe76⤵PID:2648
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe77⤵PID:3068
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe79⤵PID:2820
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe81⤵PID:2444
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe82⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe83⤵PID:2948
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe84⤵PID:996
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe85⤵PID:1504
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe86⤵PID:1776
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe87⤵PID:1304
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe88⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe89⤵PID:2680
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe90⤵PID:2316
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe91⤵PID:2548
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe92⤵PID:2544
-
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe93⤵PID:1552
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe94⤵PID:1536
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe95⤵PID:2220
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe96⤵PID:2128
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe97⤵PID:1688
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe98⤵PID:2464
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe99⤵PID:936
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe100⤵PID:1164
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe101⤵PID:1244
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe102⤵PID:2596
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe103⤵PID:2536
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe104⤵PID:2840
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe106⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe107⤵PID:2668
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe108⤵PID:1276
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe109⤵PID:3048
-
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe110⤵PID:692
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe111⤵
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe112⤵PID:1336
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe113⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe114⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe115⤵PID:2752
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe116⤵PID:1808
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe117⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe118⤵PID:2992
-
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe119⤵PID:2964
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe120⤵PID:2856
-
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe121⤵PID:1488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-