Analysis
-
max time kernel
143s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 06:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe
-
Size
481KB
-
MD5
fb5ee2163d98d986c47330a4672f1490
-
SHA1
63b4434625f0bc1ed6a04c63f8ab4846d00c226d
-
SHA256
8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b
-
SHA512
8a42cf12df8830753563115d8e7082f125901b44e4063db5d20bba3397c1e7f8a80fdbfadb8634531b17157e47ec3449203b77854df6e253f779f522e9027426
-
SSDEEP
6144:Z7Nnhu9mh0IJXFM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:hNnUmh06FB24lwR45FB24l4++dBQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhijbog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngnbgplj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpqdkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odjbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpinc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igonafba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfghif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkaiqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cndbcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeghgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcihlong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdgdempa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnclnihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idklfpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piekcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fphafl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1624 Ncjgbcoi.exe 2544 Nghphaeo.exe 2548 Ncoamb32.exe 2560 Nlgefh32.exe 2568 Njkfpl32.exe 2460 Nbfjdn32.exe 1588 Onmkio32.exe 2676 Okalbc32.exe 1300 Odjpkihg.exe 832 Obnqem32.exe 1260 Okfencna.exe 1248 Oenifh32.exe 2880 Pphjgfqq.exe 2436 Pipopl32.exe 2136 Pfdpip32.exe 336 Pchpbded.exe 2068 Plcdgfbo.exe 1972 Pnbacbac.exe 908 Pigeqkai.exe 1648 Plfamfpm.exe 1012 Penfelgm.exe 1912 Qlhnbf32.exe 3036 Qaefjm32.exe 2164 Qdccfh32.exe 1420 Qjmkcbcb.exe 2320 Qecoqk32.exe 1484 Ajphib32.exe 2608 Amndem32.exe 1948 Ahchbf32.exe 2964 Ajbdna32.exe 2572 Aiedjneg.exe 2412 Abmibdlh.exe 2896 Ambmpmln.exe 2656 Admemg32.exe 2780 Aiinen32.exe 1196 Apcfahio.exe 2908 Abbbnchb.exe 2788 Ahokfj32.exe 2876 Bbdocc32.exe 1996 Bebkpn32.exe 2224 Bhahlj32.exe 2060 Bbflib32.exe 1404 Bdhhqk32.exe 2768 Balijo32.exe 1124 Bhfagipa.exe 2944 Bghabf32.exe 616 Bopicc32.exe 2084 Banepo32.exe 2484 Bdlblj32.exe 2056 Bkfjhd32.exe 1516 Bnefdp32.exe 2508 Bpcbqk32.exe 2504 Cgmkmecg.exe 1952 Ckignd32.exe 2428 Cljcelan.exe 2632 Cdakgibq.exe 2640 Cgpgce32.exe 352 Cjndop32.exe 1020 Coklgg32.exe 2288 Ccfhhffh.exe 2180 Clomqk32.exe 2000 Comimg32.exe 1988 Cciemedf.exe 2260 Cjbmjplb.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 1624 Ncjgbcoi.exe 1624 Ncjgbcoi.exe 2544 Nghphaeo.exe 2544 Nghphaeo.exe 2548 Ncoamb32.exe 2548 Ncoamb32.exe 2560 Nlgefh32.exe 2560 Nlgefh32.exe 2568 Njkfpl32.exe 2568 Njkfpl32.exe 2460 Nbfjdn32.exe 2460 Nbfjdn32.exe 1588 Onmkio32.exe 1588 Onmkio32.exe 2676 Okalbc32.exe 2676 Okalbc32.exe 1300 Odjpkihg.exe 1300 Odjpkihg.exe 832 Obnqem32.exe 832 Obnqem32.exe 1260 Okfencna.exe 1260 Okfencna.exe 1248 Oenifh32.exe 1248 Oenifh32.exe 2880 Pphjgfqq.exe 2880 Pphjgfqq.exe 2436 Pipopl32.exe 2436 Pipopl32.exe 2136 Pfdpip32.exe 2136 Pfdpip32.exe 336 Pchpbded.exe 336 Pchpbded.exe 2068 Plcdgfbo.exe 2068 Plcdgfbo.exe 1972 Pnbacbac.exe 1972 Pnbacbac.exe 908 Pigeqkai.exe 908 Pigeqkai.exe 1648 Plfamfpm.exe 1648 Plfamfpm.exe 1012 Penfelgm.exe 1012 Penfelgm.exe 1912 Qlhnbf32.exe 1912 Qlhnbf32.exe 3036 Qaefjm32.exe 3036 Qaefjm32.exe 2164 Qdccfh32.exe 2164 Qdccfh32.exe 1420 Qjmkcbcb.exe 1420 Qjmkcbcb.exe 2320 Qecoqk32.exe 2320 Qecoqk32.exe 1484 Ajphib32.exe 1484 Ajphib32.exe 2608 Amndem32.exe 2608 Amndem32.exe 1948 Ahchbf32.exe 1948 Ahchbf32.exe 2964 Ajbdna32.exe 2964 Ajbdna32.exe 2572 Aiedjneg.exe 2572 Aiedjneg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bdkgocpm.exe Behgcf32.exe File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Okikfagn.exe Odobjg32.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Inkccpgk.exe File opened for modification C:\Windows\SysWOW64\Ljibgg32.exe Lcojjmea.exe File created C:\Windows\SysWOW64\Labkdack.exe Ljibgg32.exe File opened for modification C:\Windows\SysWOW64\Ljkomfjl.exe Lcagpl32.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File created C:\Windows\SysWOW64\Bmdcpnkh.dll Fllnlg32.exe File created C:\Windows\SysWOW64\Ccdcec32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Afiglkle.exe Ackkppma.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cojema32.exe File opened for modification C:\Windows\SysWOW64\Gdniqh32.exe Gmdadnkh.exe File created C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Ifnechbj.exe File created C:\Windows\SysWOW64\Blleofcd.dll Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Nacgdhlp.exe File created C:\Windows\SysWOW64\Dnlbnp32.dll Nenobfak.exe File opened for modification C:\Windows\SysWOW64\Ookmfk32.exe Okoafmkm.exe File created C:\Windows\SysWOW64\Beejng32.exe Bnkbam32.exe File opened for modification C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Okdkal32.exe Odjbdb32.exe File created C:\Windows\SysWOW64\Kkgmgmfd.exe Kgkafo32.exe File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Bhndldcn.exe Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Ndemjoae.exe File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File opened for modification C:\Windows\SysWOW64\Qaefjm32.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Mffimglk.exe Mooaljkh.exe File created C:\Windows\SysWOW64\Ncbplk32.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Qjmkcbcb.exe Qdccfh32.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bifgdk32.exe File created C:\Windows\SysWOW64\Fllnlg32.exe Fcefji32.exe File created C:\Windows\SysWOW64\Hapicp32.exe Hmdmcanc.exe File created C:\Windows\SysWOW64\Pghhkllb.dll Lanaiahq.exe File opened for modification C:\Windows\SysWOW64\Blobjaba.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Kahojc32.exe Kmmcjehm.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Hmomkh32.dll Pqhijbog.exe File created C:\Windows\SysWOW64\Ckiigmcd.exe Chkmkacq.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Okgnab32.exe Omdneebf.exe File created C:\Windows\SysWOW64\Hanlnp32.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Ejmebq32.exe Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Hanlnp32.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Kgbggnhc.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Mppepcfg.exe Mamddf32.exe File created C:\Windows\SysWOW64\Olpdjf32.exe Ofelmloo.exe File created C:\Windows\SysWOW64\Khjjpi32.dll Bocolb32.exe File created C:\Windows\SysWOW64\Epjomppp.dll Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Njkfpl32.exe Nlgefh32.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Lefdpe32.exe File created C:\Windows\SysWOW64\Ipllekdl.exe Ijbdha32.exe File created C:\Windows\SysWOW64\Lmlhnagm.exe Liplnc32.exe File created C:\Windows\SysWOW64\Mdacop32.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Fdlpjk32.dll Ckiigmcd.exe File opened for modification C:\Windows\SysWOW64\Ngpolo32.exe Nceclqan.exe File created C:\Windows\SysWOW64\Jiiegafd.dll Ebinic32.exe File created C:\Windows\SysWOW64\Ffpmnf32.exe Fdapak32.exe File created C:\Windows\SysWOW64\Lclclfdi.dll Pckoam32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6372 6284 WerFault.exe 677 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceamohhb.dll" Ncbplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnefdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhfdmdo.dll" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkjjld32.dll" Penfelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Ecejkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okalbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahqdihi.dll" Adpkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Ndemjoae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcibkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckcmac32.dll" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfppg32.dll" Llcefjgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flmefm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojald32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpfeppop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbflib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pimkpfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbepj32.dll" Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lefdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Meccii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgjefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqalka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjjndgdk.dll" Kgkafo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pflomnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpgbgpe.dll" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll" Pamiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojebabb.dll" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlekia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdaheq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaobdjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" Nckjkl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1624 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1624 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1624 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 28 PID 2872 wrote to memory of 1624 2872 8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe 28 PID 1624 wrote to memory of 2544 1624 Ncjgbcoi.exe 29 PID 1624 wrote to memory of 2544 1624 Ncjgbcoi.exe 29 PID 1624 wrote to memory of 2544 1624 Ncjgbcoi.exe 29 PID 1624 wrote to memory of 2544 1624 Ncjgbcoi.exe 29 PID 2544 wrote to memory of 2548 2544 Nghphaeo.exe 30 PID 2544 wrote to memory of 2548 2544 Nghphaeo.exe 30 PID 2544 wrote to memory of 2548 2544 Nghphaeo.exe 30 PID 2544 wrote to memory of 2548 2544 Nghphaeo.exe 30 PID 2548 wrote to memory of 2560 2548 Ncoamb32.exe 31 PID 2548 wrote to memory of 2560 2548 Ncoamb32.exe 31 PID 2548 wrote to memory of 2560 2548 Ncoamb32.exe 31 PID 2548 wrote to memory of 2560 2548 Ncoamb32.exe 31 PID 2560 wrote to memory of 2568 2560 Nlgefh32.exe 32 PID 2560 wrote to memory of 2568 2560 Nlgefh32.exe 32 PID 2560 wrote to memory of 2568 2560 Nlgefh32.exe 32 PID 2560 wrote to memory of 2568 2560 Nlgefh32.exe 32 PID 2568 wrote to memory of 2460 2568 Njkfpl32.exe 33 PID 2568 wrote to memory of 2460 2568 Njkfpl32.exe 33 PID 2568 wrote to memory of 2460 2568 Njkfpl32.exe 33 PID 2568 wrote to memory of 2460 2568 Njkfpl32.exe 33 PID 2460 wrote to memory of 1588 2460 Nbfjdn32.exe 34 PID 2460 wrote to memory of 1588 2460 Nbfjdn32.exe 34 PID 2460 wrote to memory of 1588 2460 Nbfjdn32.exe 34 PID 2460 wrote to memory of 1588 2460 Nbfjdn32.exe 34 PID 1588 wrote to memory of 2676 1588 Onmkio32.exe 35 PID 1588 wrote to memory of 2676 1588 Onmkio32.exe 35 PID 1588 wrote to memory of 2676 1588 Onmkio32.exe 35 PID 1588 wrote to memory of 2676 1588 Onmkio32.exe 35 PID 2676 wrote to memory of 1300 2676 Okalbc32.exe 36 PID 2676 wrote to memory of 1300 2676 Okalbc32.exe 36 PID 2676 wrote to memory of 1300 2676 Okalbc32.exe 36 PID 2676 wrote to memory of 1300 2676 Okalbc32.exe 36 PID 1300 wrote to memory of 832 1300 Odjpkihg.exe 37 PID 1300 wrote to memory of 832 1300 Odjpkihg.exe 37 PID 1300 wrote to memory of 832 1300 Odjpkihg.exe 37 PID 1300 wrote to memory of 832 1300 Odjpkihg.exe 37 PID 832 wrote to memory of 1260 832 Obnqem32.exe 38 PID 832 wrote to memory of 1260 832 Obnqem32.exe 38 PID 832 wrote to memory of 1260 832 Obnqem32.exe 38 PID 832 wrote to memory of 1260 832 Obnqem32.exe 38 PID 1260 wrote to memory of 1248 1260 Okfencna.exe 39 PID 1260 wrote to memory of 1248 1260 Okfencna.exe 39 PID 1260 wrote to memory of 1248 1260 Okfencna.exe 39 PID 1260 wrote to memory of 1248 1260 Okfencna.exe 39 PID 1248 wrote to memory of 2880 1248 Oenifh32.exe 40 PID 1248 wrote to memory of 2880 1248 Oenifh32.exe 40 PID 1248 wrote to memory of 2880 1248 Oenifh32.exe 40 PID 1248 wrote to memory of 2880 1248 Oenifh32.exe 40 PID 2880 wrote to memory of 2436 2880 Pphjgfqq.exe 41 PID 2880 wrote to memory of 2436 2880 Pphjgfqq.exe 41 PID 2880 wrote to memory of 2436 2880 Pphjgfqq.exe 41 PID 2880 wrote to memory of 2436 2880 Pphjgfqq.exe 41 PID 2436 wrote to memory of 2136 2436 Pipopl32.exe 42 PID 2436 wrote to memory of 2136 2436 Pipopl32.exe 42 PID 2436 wrote to memory of 2136 2436 Pipopl32.exe 42 PID 2436 wrote to memory of 2136 2436 Pipopl32.exe 42 PID 2136 wrote to memory of 336 2136 Pfdpip32.exe 43 PID 2136 wrote to memory of 336 2136 Pfdpip32.exe 43 PID 2136 wrote to memory of 336 2136 Pfdpip32.exe 43 PID 2136 wrote to memory of 336 2136 Pfdpip32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8a7513f8ef1cc728221ed012cc9ee80429fe0b351e24b810236fcbe620a43b8b_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe33⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe37⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe39⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe41⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe45⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe46⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe47⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe48⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe49⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe50⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe53⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe56⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe58⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe59⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe60⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe61⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe62⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe63⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe64⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe65⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe66⤵PID:1424
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe67⤵PID:2580
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe68⤵PID:1576
-
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe69⤵
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe70⤵PID:2296
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe72⤵PID:1620
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe74⤵PID:2420
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe75⤵PID:1564
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe77⤵PID:1736
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe78⤵PID:112
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe79⤵PID:2024
-
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe80⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe81⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe82⤵PID:2364
-
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe83⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe84⤵PID:1664
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe85⤵PID:2268
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe86⤵PID:2148
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe88⤵PID:2888
-
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe89⤵PID:2416
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe91⤵PID:1692
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe92⤵PID:872
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe93⤵PID:2032
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe94⤵PID:1940
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe95⤵PID:588
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe96⤵PID:1188
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe97⤵PID:412
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe98⤵PID:1080
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe99⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe100⤵PID:1644
-
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe101⤵PID:2708
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe102⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe103⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe104⤵PID:1064
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe105⤵PID:1584
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe106⤵PID:356
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe107⤵PID:2212
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe108⤵PID:2064
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe109⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe110⤵PID:2232
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe111⤵PID:2072
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe112⤵PID:1992
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe113⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe114⤵PID:1428
-
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe115⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe116⤵PID:2536
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe117⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe119⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe120⤵PID:752
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe121⤵
- Modifies registry class
PID:324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-