Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 03:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe
-
Size
128KB
-
MD5
5aac2cb27d30f05c2abd682e1a0e7660
-
SHA1
dd26eb7baff289cc90e6dce20f80fa4ba8ef746c
-
SHA256
aece3f6d6f63aa1161d1ac386931466cc8e1c1195a4b14dc9d7d7089798686e7
-
SHA512
a894f0e649c1a31be2df5bcbdef75cd512ef58e548595227e81510a3e6a666fe8b09bbef5e97c1efa4de1018c8384690e3502b7b6d4de8d1764c5d08607e9dfc
-
SSDEEP
3072:26JgjmKot5oTzwkTDrFDHZtOgxBOXXwwfBoD6N3h8N5Gg:26JPKU5oTZ55tTDUZNSN57
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeopn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiljl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdapak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpodagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egamfkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkllmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeddafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqhhknjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfijnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ongnonkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Comimg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efncicpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpapln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gangic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqonkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onphoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhhcgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlgiqbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacmcfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjknnbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckace32.exe -
Executes dropped EXE 64 IoCs
pid Process 2756 Odgcfijj.exe 2576 Okalbc32.exe 2592 Onphoo32.exe 2248 Odjpkihg.exe 2680 Oghlgdgk.exe 2184 Okchhc32.exe 1712 Onbddoog.exe 1620 Oqqapjnk.exe 2732 Oelmai32.exe 2960 Ogjimd32.exe 1960 Ojieip32.exe 1936 Omgaek32.exe 2200 Oqcnfjli.exe 856 Oenifh32.exe 2532 Ocajbekl.exe 2780 Ofpfnqjp.exe 484 Ongnonkb.exe 1644 Pminkk32.exe 2868 Pphjgfqq.exe 908 Pgobhcac.exe 1792 Pfbccp32.exe 1532 Pjmodopf.exe 940 Pipopl32.exe 3012 Pmlkpjpj.exe 2888 Ppjglfon.exe 1316 Pbiciana.exe 2940 Plahag32.exe 1112 Ppmdbe32.exe 2684 Pfflopdh.exe 2156 Peiljl32.exe 2512 Pnbacbac.exe 2860 Pbmmcq32.exe 2928 Pelipl32.exe 2604 Pigeqkai.exe 1944 Plfamfpm.exe 2408 Pndniaop.exe 1676 Pabjem32.exe 1248 Qhmbagfa.exe 1740 Qjknnbed.exe 448 Qbbfopeg.exe 1476 Qeqbkkej.exe 1852 Qhooggdn.exe 2400 Qljkhe32.exe 476 Qnigda32.exe 1380 Qagcpljo.exe 1972 Adeplhib.exe 688 Afdlhchf.exe 1896 Ajphib32.exe 944 Ankdiqih.exe 2676 Aajpelhl.exe 2668 Aplpai32.exe 1036 Adhlaggp.exe 1308 Affhncfc.exe 2436 Ajbdna32.exe 2736 Aiedjneg.exe 2644 Ampqjm32.exe 2432 Apomfh32.exe 2848 Abmibdlh.exe 1432 Ajdadamj.exe 1956 Ambmpmln.exe 2728 Apajlhka.exe 1208 Admemg32.exe 1240 Afkbib32.exe 384 Aiinen32.exe -
Loads dropped DLL 64 IoCs
pid Process 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 2756 Odgcfijj.exe 2756 Odgcfijj.exe 2576 Okalbc32.exe 2576 Okalbc32.exe 2592 Onphoo32.exe 2592 Onphoo32.exe 2248 Odjpkihg.exe 2248 Odjpkihg.exe 2680 Oghlgdgk.exe 2680 Oghlgdgk.exe 2184 Okchhc32.exe 2184 Okchhc32.exe 1712 Onbddoog.exe 1712 Onbddoog.exe 1620 Oqqapjnk.exe 1620 Oqqapjnk.exe 2732 Oelmai32.exe 2732 Oelmai32.exe 2960 Ogjimd32.exe 2960 Ogjimd32.exe 1960 Ojieip32.exe 1960 Ojieip32.exe 1936 Omgaek32.exe 1936 Omgaek32.exe 2200 Oqcnfjli.exe 2200 Oqcnfjli.exe 856 Oenifh32.exe 856 Oenifh32.exe 2532 Ocajbekl.exe 2532 Ocajbekl.exe 2780 Ofpfnqjp.exe 2780 Ofpfnqjp.exe 484 Ongnonkb.exe 484 Ongnonkb.exe 1644 Pminkk32.exe 1644 Pminkk32.exe 2868 Pphjgfqq.exe 2868 Pphjgfqq.exe 908 Pgobhcac.exe 908 Pgobhcac.exe 1792 Pfbccp32.exe 1792 Pfbccp32.exe 1532 Pjmodopf.exe 1532 Pjmodopf.exe 940 Pipopl32.exe 940 Pipopl32.exe 3012 Pmlkpjpj.exe 3012 Pmlkpjpj.exe 2888 Ppjglfon.exe 2888 Ppjglfon.exe 1928 Pjpkjond.exe 1928 Pjpkjond.exe 2940 Plahag32.exe 2940 Plahag32.exe 1112 Ppmdbe32.exe 1112 Ppmdbe32.exe 2684 Pfflopdh.exe 2684 Pfflopdh.exe 2156 Peiljl32.exe 2156 Peiljl32.exe 2512 Pnbacbac.exe 2512 Pnbacbac.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Ccfhhffh.exe File opened for modification C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Jkoginch.dll Ffkcbgek.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File created C:\Windows\SysWOW64\Pjmodopf.exe Pfbccp32.exe File created C:\Windows\SysWOW64\Nokeef32.dll Hlcgeo32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Gkihhhnm.exe Ghkllmoi.exe File opened for modification C:\Windows\SysWOW64\Aajpelhl.exe Ankdiqih.exe File opened for modification C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File opened for modification C:\Windows\SysWOW64\Bebkpn32.exe Boiccdnf.exe File opened for modification C:\Windows\SysWOW64\Clcflkic.exe Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Cobbhfhg.exe File created C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File created C:\Windows\SysWOW64\Fclomp32.dll Dfijnd32.exe File opened for modification C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File created C:\Windows\SysWOW64\Hokefmej.dll Aiedjneg.exe File created C:\Windows\SysWOW64\Fglhobmg.dll Dbbkja32.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Hdfflm32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Pmlkpjpj.exe File created C:\Windows\SysWOW64\Kjpnhh32.dll Pelipl32.exe File created C:\Windows\SysWOW64\Qagcpljo.exe Qnigda32.exe File created C:\Windows\SysWOW64\Eqonkmdh.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Gdamqndn.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dcfdgiid.exe File created C:\Windows\SysWOW64\Dhggeddb.dll Fjilieka.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hpapln32.exe File opened for modification C:\Windows\SysWOW64\Oghlgdgk.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Aoffmd32.exe Alhjai32.exe File created C:\Windows\SysWOW64\Hjlanqkq.dll Cnippoha.exe File created C:\Windows\SysWOW64\Bnkajj32.dll Fhkpmjln.exe File created C:\Windows\SysWOW64\Idceea32.exe Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Qbbfopeg.exe Qjknnbed.exe File opened for modification C:\Windows\SysWOW64\Qhooggdn.exe Qeqbkkej.exe File created C:\Windows\SysWOW64\Ajbdna32.exe Affhncfc.exe File opened for modification C:\Windows\SysWOW64\Cjlgiqbk.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Enihne32.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Phofkg32.dll Hahjpbad.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Pabjem32.exe File created C:\Windows\SysWOW64\Cckace32.exe Ckdjbh32.exe File opened for modification C:\Windows\SysWOW64\Dgdmmgpj.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Egdilkbf.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Globlmmj.exe File created C:\Windows\SysWOW64\Lhcecp32.dll Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Bingpmnl.exe Bebkpn32.exe File created C:\Windows\SysWOW64\Jkbcpgjj.dll Cllpkl32.exe File created C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Iaeiieeb.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Ddokpmfo.exe File opened for modification C:\Windows\SysWOW64\Hacmcfge.exe Hodpgjha.exe File opened for modification C:\Windows\SysWOW64\Icbimi32.exe Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Pbiciana.exe Ppjglfon.exe File created C:\Windows\SysWOW64\Edgoiebg.dll Peiljl32.exe File created C:\Windows\SysWOW64\Hbbhkqaj.dll Bhfagipa.exe File created C:\Windows\SysWOW64\Cfeddafl.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Bioggp32.dll Ckdjbh32.exe File created C:\Windows\SysWOW64\Epdkli32.exe Emeopn32.exe File created C:\Windows\SysWOW64\Efjcibje.dll Enkece32.exe File opened for modification C:\Windows\SysWOW64\Filldb32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Oqcnfjli.exe Omgaek32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3924 3888 WerFault.exe 253 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocajbekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcbnc32.dll" Ocajbekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apomfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfcgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfofpak.dll" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bdlblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efncicpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfbccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhkpmjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlanqkq.dll" Cnippoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmcfkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Gejcjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknnbklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabnbook.dll" Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadkgl32.dll" Fehjeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Globlmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkaqmeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajphib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfdcg32.dll" Bkodhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baildokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmodopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambmpmln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adeplhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qljkhe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 2756 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 28 PID 1808 wrote to memory of 2756 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 28 PID 1808 wrote to memory of 2756 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 28 PID 1808 wrote to memory of 2756 1808 5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe 28 PID 2756 wrote to memory of 2576 2756 Odgcfijj.exe 29 PID 2756 wrote to memory of 2576 2756 Odgcfijj.exe 29 PID 2756 wrote to memory of 2576 2756 Odgcfijj.exe 29 PID 2756 wrote to memory of 2576 2756 Odgcfijj.exe 29 PID 2576 wrote to memory of 2592 2576 Okalbc32.exe 30 PID 2576 wrote to memory of 2592 2576 Okalbc32.exe 30 PID 2576 wrote to memory of 2592 2576 Okalbc32.exe 30 PID 2576 wrote to memory of 2592 2576 Okalbc32.exe 30 PID 2592 wrote to memory of 2248 2592 Onphoo32.exe 31 PID 2592 wrote to memory of 2248 2592 Onphoo32.exe 31 PID 2592 wrote to memory of 2248 2592 Onphoo32.exe 31 PID 2592 wrote to memory of 2248 2592 Onphoo32.exe 31 PID 2248 wrote to memory of 2680 2248 Odjpkihg.exe 32 PID 2248 wrote to memory of 2680 2248 Odjpkihg.exe 32 PID 2248 wrote to memory of 2680 2248 Odjpkihg.exe 32 PID 2248 wrote to memory of 2680 2248 Odjpkihg.exe 32 PID 2680 wrote to memory of 2184 2680 Oghlgdgk.exe 33 PID 2680 wrote to memory of 2184 2680 Oghlgdgk.exe 33 PID 2680 wrote to memory of 2184 2680 Oghlgdgk.exe 33 PID 2680 wrote to memory of 2184 2680 Oghlgdgk.exe 33 PID 2184 wrote to memory of 1712 2184 Okchhc32.exe 34 PID 2184 wrote to memory of 1712 2184 Okchhc32.exe 34 PID 2184 wrote to memory of 1712 2184 Okchhc32.exe 34 PID 2184 wrote to memory of 1712 2184 Okchhc32.exe 34 PID 1712 wrote to memory of 1620 1712 Onbddoog.exe 35 PID 1712 wrote to memory of 1620 1712 Onbddoog.exe 35 PID 1712 wrote to memory of 1620 1712 Onbddoog.exe 35 PID 1712 wrote to memory of 1620 1712 Onbddoog.exe 35 PID 1620 wrote to memory of 2732 1620 Oqqapjnk.exe 36 PID 1620 wrote to memory of 2732 1620 Oqqapjnk.exe 36 PID 1620 wrote to memory of 2732 1620 Oqqapjnk.exe 36 PID 1620 wrote to memory of 2732 1620 Oqqapjnk.exe 36 PID 2732 wrote to memory of 2960 2732 Oelmai32.exe 37 PID 2732 wrote to memory of 2960 2732 Oelmai32.exe 37 PID 2732 wrote to memory of 2960 2732 Oelmai32.exe 37 PID 2732 wrote to memory of 2960 2732 Oelmai32.exe 37 PID 2960 wrote to memory of 1960 2960 Ogjimd32.exe 38 PID 2960 wrote to memory of 1960 2960 Ogjimd32.exe 38 PID 2960 wrote to memory of 1960 2960 Ogjimd32.exe 38 PID 2960 wrote to memory of 1960 2960 Ogjimd32.exe 38 PID 1960 wrote to memory of 1936 1960 Ojieip32.exe 39 PID 1960 wrote to memory of 1936 1960 Ojieip32.exe 39 PID 1960 wrote to memory of 1936 1960 Ojieip32.exe 39 PID 1960 wrote to memory of 1936 1960 Ojieip32.exe 39 PID 1936 wrote to memory of 2200 1936 Omgaek32.exe 40 PID 1936 wrote to memory of 2200 1936 Omgaek32.exe 40 PID 1936 wrote to memory of 2200 1936 Omgaek32.exe 40 PID 1936 wrote to memory of 2200 1936 Omgaek32.exe 40 PID 2200 wrote to memory of 856 2200 Oqcnfjli.exe 41 PID 2200 wrote to memory of 856 2200 Oqcnfjli.exe 41 PID 2200 wrote to memory of 856 2200 Oqcnfjli.exe 41 PID 2200 wrote to memory of 856 2200 Oqcnfjli.exe 41 PID 856 wrote to memory of 2532 856 Oenifh32.exe 42 PID 856 wrote to memory of 2532 856 Oenifh32.exe 42 PID 856 wrote to memory of 2532 856 Oenifh32.exe 42 PID 856 wrote to memory of 2532 856 Oenifh32.exe 42 PID 2532 wrote to memory of 2780 2532 Ocajbekl.exe 43 PID 2532 wrote to memory of 2780 2532 Ocajbekl.exe 43 PID 2532 wrote to memory of 2780 2532 Ocajbekl.exe 43 PID 2532 wrote to memory of 2780 2532 Ocajbekl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5aac2cb27d30f05c2abd682e1a0e7660_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:484 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe27⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe28⤵
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe34⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe38⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe40⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Qeqbkkej.exeC:\Windows\system32\Qeqbkkej.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:476 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe52⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe56⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe58⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe60⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe63⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe64⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe66⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe68⤵PID:1032
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe69⤵PID:1124
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe70⤵PID:3064
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe71⤵PID:2000
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe72⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe74⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe75⤵PID:2476
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe76⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe79⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe80⤵PID:1284
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe81⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe86⤵PID:3068
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe87⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe90⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe92⤵PID:2388
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe94⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe97⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe101⤵PID:1276
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe102⤵PID:2188
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe103⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe105⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe106⤵PID:1756
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe107⤵
- Drops file in System32 directory
PID:400 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe109⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe112⤵PID:2820
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe113⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe114⤵PID:832
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe115⤵PID:2292
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe117⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe118⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe119⤵PID:1000
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe120⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-