Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 07:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe
-
Size
55KB
-
MD5
0b6cb4e7fec12b667d12ee873599bf90
-
SHA1
2bba0559867350a09f69a2c746edeea8c03a5b3a
-
SHA256
618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9
-
SHA512
ac14c23bd0fc892a7a281ab5bfbaca7979f4e39fe603975a220b7adc66477fd8abb42120efcb28fd24aaa92eb7b1d301d45d3c6f77f0ceb3acbedfc0247596ea
-
SSDEEP
768:XgSGaNdMm1IlCvTbpLldELPTSrNeo1x28gR5JZ/1H5nXdnh:wSGO6lKHpLleLP4eo1x28gRf
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admemg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofpfnqjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbicfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngoibmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhhocjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeqdep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpgmhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faokjpfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpfnqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdiqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkihhhnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onbddoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbdna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdoclk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqbndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkobnqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiidobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe -
Executes dropped EXE 64 IoCs
pid Process 1232 Mkobnqan.exe 2140 Nplkfgoe.exe 2624 Ncjgbcoi.exe 2884 Nkaocp32.exe 2868 Nnplpl32.exe 2616 Ndjdlffl.exe 2524 Ncmdhb32.exe 3060 Nfkpdn32.exe 2732 Nnbhek32.exe 2208 Nocemcbj.exe 1260 Ncoamb32.exe 2548 Njiijlbp.exe 1660 Nlgefh32.exe 1764 Nofabc32.exe 2296 Nfpjomgd.exe 864 Nmjblg32.exe 1124 Nkmbgdfl.exe 976 Nccjhafn.exe 852 Ofbfdmeb.exe 412 Ohqbqhde.exe 2892 Okoomd32.exe 1976 Onmkio32.exe 1620 Ofdcjm32.exe 2424 Odgcfijj.exe 1952 Okalbc32.exe 1468 Onphoo32.exe 1640 Oiellh32.exe 3040 Ojficpfn.exe 2196 Onbddoog.exe 2712 Obnqem32.exe 2100 Ogjimd32.exe 2720 Omgaek32.exe 2484 Oqcnfjli.exe 3008 Ocajbekl.exe 1912 Ogmfbd32.exe 1680 Ofpfnqjp.exe 2216 Ongnonkb.exe 1052 Pminkk32.exe 1896 Pphjgfqq.exe 1536 Pgobhcac.exe 2924 Pfbccp32.exe 2132 Pcfcmd32.exe 2336 Pbiciana.exe 112 Piblek32.exe 608 Plahag32.exe 1372 Plahag32.exe 2896 Ppmdbe32.exe 1832 Piehkkcl.exe 2320 Pmqdkj32.exe 1732 Plcdgfbo.exe 1596 Pbmmcq32.exe 1940 Pfiidobe.exe 2024 Pigeqkai.exe 2692 Phjelg32.exe 2736 Plfamfpm.exe 2800 Pndniaop.exe 2268 Pbpjiphi.exe 1992 Pabjem32.exe 840 Pijbfj32.exe 2808 Qlhnbf32.exe 948 Qaefjm32.exe 1524 Qeqbkkej.exe 2828 Qdccfh32.exe 2284 Qhooggdn.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 1232 Mkobnqan.exe 1232 Mkobnqan.exe 2140 Nplkfgoe.exe 2140 Nplkfgoe.exe 2624 Ncjgbcoi.exe 2624 Ncjgbcoi.exe 2884 Nkaocp32.exe 2884 Nkaocp32.exe 2868 Nnplpl32.exe 2868 Nnplpl32.exe 2616 Ndjdlffl.exe 2616 Ndjdlffl.exe 2524 Ncmdhb32.exe 2524 Ncmdhb32.exe 3060 Nfkpdn32.exe 3060 Nfkpdn32.exe 2732 Nnbhek32.exe 2732 Nnbhek32.exe 2208 Nocemcbj.exe 2208 Nocemcbj.exe 1260 Ncoamb32.exe 1260 Ncoamb32.exe 2548 Njiijlbp.exe 2548 Njiijlbp.exe 1660 Nlgefh32.exe 1660 Nlgefh32.exe 1764 Nofabc32.exe 1764 Nofabc32.exe 2296 Nfpjomgd.exe 2296 Nfpjomgd.exe 864 Nmjblg32.exe 864 Nmjblg32.exe 1124 Nkmbgdfl.exe 1124 Nkmbgdfl.exe 976 Nccjhafn.exe 976 Nccjhafn.exe 852 Ofbfdmeb.exe 852 Ofbfdmeb.exe 412 Ohqbqhde.exe 412 Ohqbqhde.exe 2892 Okoomd32.exe 2892 Okoomd32.exe 1976 Onmkio32.exe 1976 Onmkio32.exe 1620 Ofdcjm32.exe 1620 Ofdcjm32.exe 2424 Odgcfijj.exe 2424 Odgcfijj.exe 1952 Okalbc32.exe 1952 Okalbc32.exe 1468 Onphoo32.exe 1468 Onphoo32.exe 1640 Oiellh32.exe 1640 Oiellh32.exe 3040 Ojficpfn.exe 3040 Ojficpfn.exe 2196 Onbddoog.exe 2196 Onbddoog.exe 2712 Obnqem32.exe 2712 Obnqem32.exe 2100 Ogjimd32.exe 2100 Ogjimd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okalbc32.exe Odgcfijj.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Ocajbekl.exe File opened for modification C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gaemjbcg.exe File opened for modification C:\Windows\SysWOW64\Fcmbeioh.dll Plahag32.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qjmkcbcb.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe File created C:\Windows\SysWOW64\Mkaggelk.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Kleiio32.dll Gegfdb32.exe File created C:\Windows\SysWOW64\Doffod32.dll Oqcnfjli.exe File created C:\Windows\SysWOW64\Plahag32.exe Plahag32.exe File created C:\Windows\SysWOW64\Dqlafm32.exe Dqlafm32.exe File opened for modification C:\Windows\SysWOW64\Onmkio32.exe Okoomd32.exe File opened for modification C:\Windows\SysWOW64\Hiekid32.exe Hejoiedd.exe File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Hkkmeglp.dll Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Polebcgg.dll Hacmcfge.exe File created C:\Windows\SysWOW64\Qjmkcbcb.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fnbkddem.exe File opened for modification C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Peegic32.dll 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Nkaocp32.exe Ncjgbcoi.exe File created C:\Windows\SysWOW64\Dnlidb32.exe Djpmccqq.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gddifnbk.exe File created C:\Windows\SysWOW64\Amdgnl32.dll Nnbhek32.exe File created C:\Windows\SysWOW64\Ahaloofd.dll Ocajbekl.exe File created C:\Windows\SysWOW64\Hbkdjjal.dll Pfbccp32.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hobcak32.exe File created C:\Windows\SysWOW64\Hgeadcbc.dll Ankdiqih.exe File created C:\Windows\SysWOW64\Ffkcbgek.exe Fhhcgj32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Gobgcg32.exe File created C:\Windows\SysWOW64\Ankdiqih.exe Ajphib32.exe File created C:\Windows\SysWOW64\Olndbg32.dll Fpdhklkl.exe File created C:\Windows\SysWOW64\Obneof32.dll Nkaocp32.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Dfijnd32.exe Dgfjbgmh.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Fphafl32.exe File created C:\Windows\SysWOW64\Pfiidobe.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File created C:\Windows\SysWOW64\Elpbcapg.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Imhjppim.dll Cgpgce32.exe File created C:\Windows\SysWOW64\Lgeceh32.dll Ckdjbh32.exe File opened for modification C:\Windows\SysWOW64\Enihne32.exe Epfhbign.exe File opened for modification C:\Windows\SysWOW64\Onphoo32.exe Okalbc32.exe File created C:\Windows\SysWOW64\Balijo32.exe Bommnc32.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hiqbndpb.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Pnbgan32.dll Hlhaqogk.exe File created C:\Windows\SysWOW64\Egamfkdh.exe Eecqjpee.exe File created C:\Windows\SysWOW64\Plfamfpm.exe Phjelg32.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Bhahlj32.exe File created C:\Windows\SysWOW64\Hkpnhgge.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hnojdcfi.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Adeplhib.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bghabf32.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Ajlppdeb.dll Fhffaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3720 3552 WerFault.exe 320 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgodbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hodpgjha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjilieka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmgdddmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdqfpma.dll" Cllpkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjhbal.dll" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obopfpji.dll" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdadamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peegic32.dll" 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Coklgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" Gaemjbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncann32.dll" Ddagfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebkpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plcdgfbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" Gbnccfpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahjpbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbhek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Omgaek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpjiphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlhnbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claifkkf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1232 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 1232 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 1232 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 28 PID 2044 wrote to memory of 1232 2044 618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe 28 PID 1232 wrote to memory of 2140 1232 Mkobnqan.exe 29 PID 1232 wrote to memory of 2140 1232 Mkobnqan.exe 29 PID 1232 wrote to memory of 2140 1232 Mkobnqan.exe 29 PID 1232 wrote to memory of 2140 1232 Mkobnqan.exe 29 PID 2140 wrote to memory of 2624 2140 Nplkfgoe.exe 30 PID 2140 wrote to memory of 2624 2140 Nplkfgoe.exe 30 PID 2140 wrote to memory of 2624 2140 Nplkfgoe.exe 30 PID 2140 wrote to memory of 2624 2140 Nplkfgoe.exe 30 PID 2624 wrote to memory of 2884 2624 Ncjgbcoi.exe 31 PID 2624 wrote to memory of 2884 2624 Ncjgbcoi.exe 31 PID 2624 wrote to memory of 2884 2624 Ncjgbcoi.exe 31 PID 2624 wrote to memory of 2884 2624 Ncjgbcoi.exe 31 PID 2884 wrote to memory of 2868 2884 Nkaocp32.exe 32 PID 2884 wrote to memory of 2868 2884 Nkaocp32.exe 32 PID 2884 wrote to memory of 2868 2884 Nkaocp32.exe 32 PID 2884 wrote to memory of 2868 2884 Nkaocp32.exe 32 PID 2868 wrote to memory of 2616 2868 Nnplpl32.exe 33 PID 2868 wrote to memory of 2616 2868 Nnplpl32.exe 33 PID 2868 wrote to memory of 2616 2868 Nnplpl32.exe 33 PID 2868 wrote to memory of 2616 2868 Nnplpl32.exe 33 PID 2616 wrote to memory of 2524 2616 Ndjdlffl.exe 34 PID 2616 wrote to memory of 2524 2616 Ndjdlffl.exe 34 PID 2616 wrote to memory of 2524 2616 Ndjdlffl.exe 34 PID 2616 wrote to memory of 2524 2616 Ndjdlffl.exe 34 PID 2524 wrote to memory of 3060 2524 Ncmdhb32.exe 35 PID 2524 wrote to memory of 3060 2524 Ncmdhb32.exe 35 PID 2524 wrote to memory of 3060 2524 Ncmdhb32.exe 35 PID 2524 wrote to memory of 3060 2524 Ncmdhb32.exe 35 PID 3060 wrote to memory of 2732 3060 Nfkpdn32.exe 36 PID 3060 wrote to memory of 2732 3060 Nfkpdn32.exe 36 PID 3060 wrote to memory of 2732 3060 Nfkpdn32.exe 36 PID 3060 wrote to memory of 2732 3060 Nfkpdn32.exe 36 PID 2732 wrote to memory of 2208 2732 Nnbhek32.exe 37 PID 2732 wrote to memory of 2208 2732 Nnbhek32.exe 37 PID 2732 wrote to memory of 2208 2732 Nnbhek32.exe 37 PID 2732 wrote to memory of 2208 2732 Nnbhek32.exe 37 PID 2208 wrote to memory of 1260 2208 Nocemcbj.exe 38 PID 2208 wrote to memory of 1260 2208 Nocemcbj.exe 38 PID 2208 wrote to memory of 1260 2208 Nocemcbj.exe 38 PID 2208 wrote to memory of 1260 2208 Nocemcbj.exe 38 PID 1260 wrote to memory of 2548 1260 Ncoamb32.exe 39 PID 1260 wrote to memory of 2548 1260 Ncoamb32.exe 39 PID 1260 wrote to memory of 2548 1260 Ncoamb32.exe 39 PID 1260 wrote to memory of 2548 1260 Ncoamb32.exe 39 PID 2548 wrote to memory of 1660 2548 Njiijlbp.exe 40 PID 2548 wrote to memory of 1660 2548 Njiijlbp.exe 40 PID 2548 wrote to memory of 1660 2548 Njiijlbp.exe 40 PID 2548 wrote to memory of 1660 2548 Njiijlbp.exe 40 PID 1660 wrote to memory of 1764 1660 Nlgefh32.exe 41 PID 1660 wrote to memory of 1764 1660 Nlgefh32.exe 41 PID 1660 wrote to memory of 1764 1660 Nlgefh32.exe 41 PID 1660 wrote to memory of 1764 1660 Nlgefh32.exe 41 PID 1764 wrote to memory of 2296 1764 Nofabc32.exe 42 PID 1764 wrote to memory of 2296 1764 Nofabc32.exe 42 PID 1764 wrote to memory of 2296 1764 Nofabc32.exe 42 PID 1764 wrote to memory of 2296 1764 Nofabc32.exe 42 PID 2296 wrote to memory of 864 2296 Nfpjomgd.exe 43 PID 2296 wrote to memory of 864 2296 Nfpjomgd.exe 43 PID 2296 wrote to memory of 864 2296 Nfpjomgd.exe 43 PID 2296 wrote to memory of 864 2296 Nfpjomgd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\618ca8b067dc11a12a5129cbbf98455f65b7fc5435023090cbb04956812d6bd9_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe36⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe38⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe40⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe41⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe43⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe44⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe45⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe48⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe54⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe56⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe59⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe60⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe62⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe63⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe64⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe66⤵PID:1872
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe67⤵
- Drops file in System32 directory
PID:1028 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe68⤵
- Drops file in System32 directory
PID:704 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe70⤵PID:1552
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe72⤵PID:1192
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe75⤵PID:2672
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe76⤵PID:2056
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe80⤵PID:1720
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe81⤵PID:2976
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe82⤵PID:1460
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe83⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe84⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe85⤵PID:1688
-
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe88⤵PID:2572
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe90⤵PID:2480
-
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe91⤵PID:2824
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe92⤵PID:1448
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe93⤵PID:2804
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe94⤵PID:2856
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe95⤵PID:2416
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe96⤵PID:660
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe97⤵PID:1336
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe98⤵PID:1452
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe99⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe100⤵
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe101⤵PID:2032
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵PID:2744
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe104⤵PID:2536
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe107⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe109⤵PID:2852
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe112⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe114⤵PID:2376
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe116⤵PID:2256
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe117⤵PID:2528
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe118⤵PID:2520
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe119⤵PID:2456
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe120⤵PID:1716
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe121⤵PID:2340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-